]> git.koha-community.org Git - koha.git/commit
Bug 11307: Fix potential XSS attack in public catalog RSS feed
authorChris Cormack <chris@bigballofwax.co.nz>
Tue, 26 Nov 2013 16:37:07 +0000 (05:37 +1300)
committerGalen Charlton <gmc@esilibrary.com>
Tue, 26 Nov 2013 18:16:27 +0000 (18:16 +0000)
commit6f0d4153dfb8f85ab2b41c1e2780d4171c00e4ee
treefb1e8494f217fa808f6dd791466c146a917b3139
parent17b78abc7fe6a66ab48a01ac4a7be8e88ad165fc
Bug 11307: Fix potential XSS attack in public catalog RSS feed

To test:
1/ Craft a url like
/cgi-bin/koha/opac-search.pl?q=a&count=50"'<h1>test</h1>&sort_by=acqdate_dsc&format=rss2
2/ look at the source, notice
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
3/ apply the patch, and reload url
4/ source now contains
 <opensearch:itemsPerPage>50&quot;'&lt;h1&gt;test&lt;/h1&gt;</opensearch:itemsPerPage>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt