From 13e65432ce6f78c277835d5a5fe22fe99ed0b20c Mon Sep 17 00:00:00 2001 From: Katrin Fischer Date: Wed, 16 Aug 2017 12:59:13 +0200 Subject: [PATCH] Bug 19086: (follow-up) Fix Stored XSS in supplier.pl In preparation: Make sure you enter in all fields of a new vendor that are not validated and save. 1) Access vendor summary page. 2) Verify scripts are executed 3) Apply patch 4) Verify scripts are on longer executed This works in combination with the other patches for XSS on this bug. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- .../intranet-tmpl/prog/en/modules/acqui/supplier.tt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt index a40e71586d..085875f4f2 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt @@ -57,7 +57,7 @@ [% END %] [% BLOCK show_contact %] -

[% contact.name %]

+

[% contact.name |html %]

Position: [% contact.position |html %]

Phone: [% contact.phone |html %]

Alternative phone: [% contact.altphone |html %]

@@ -169,7 +169,7 @@ function delete_contact(ev) { [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
@@ -178,7 +178,7 @@ function delete_contact(ev) {
[% IF ( enter ) %] [% IF ( booksellerid ) %] -

Update: [% name %]

+

Update: [% name |html %]

[% ELSE %]

Add vendor

[% END %] @@ -318,11 +318,11 @@ function delete_contact(ev) {
[% ELSE %] -

[% name %]

+

[% name |html %]

Vendor details

-

Company name: [% name %]

+

Company name: [% name |html %]

Postal address: [% postal |html %]

Physical address: [% address1 |html %][% address2 |html %][% address3 |html %][% address4 |html %]

Phone: [% phone |html %]

-- 2.39.5