]>
git.koha-community.org Git - koha.git/commit
Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves
A specially crafted url causes XSS in Koha
To test:
cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E
cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves
These should cause a popup without the patch. With the patch, no popup.
You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Fixes the two listed problems
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed patch fixes the problem.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>