]> git.koha-community.org Git - koha.git/commit
Bug 17114: Fix XSS in picture-upload.pl
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Fri, 12 Aug 2016 09:42:28 +0000 (10:42 +0100)
committerKyle M Hall <kyle@bywatersolutions.com>
Thu, 15 Sep 2016 13:33:02 +0000 (13:33 +0000)
commitda03dbd458c59da0b9213efacd3425e89b453332
treee618c96cadf6829cce3db6bfccdf676ef7c43fb0
parenta9caebc288463689d6c2a732ee8b900a3ab34a21
Bug 17114: Fix XSS in picture-upload.pl

To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert

Note that the cardnumber var was not escaped neither, it's now.

Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt