From 04fe052de7337f7c348de69df3d0ec1184b80e8d Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 19 Jun 2015 11:30:22 +1200 Subject: [PATCH] Bug 14418: XSS flaw in opac-shelves.pl To test: 1/ Create a list and add at least one item to it 2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E Where the shelf id is the number of the list you created, notice the js is executed 3/ Apply the patch 4/ Reload the page notice the js is now escaped Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi (cherry picked from commit b6ca2b0cd2d95e8aedbfd7c0c58ace8200620bf1) Signed-off-by: Chris Cormack --- koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt index eb2c143a81..b586ac1241 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt @@ -168,7 +168,7 @@ Send list [% END %] - Print list + Print list [% IF ( manageshelf ) %] | -- 2.39.5