From 36ba8be88a9543942102580f2b1abe1e5e108c35 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 08:33:41 +0530 Subject: [PATCH] Bug 19035 - Stored XSS in lists.pl To Test 1. Hit the page /cgi-bin/koha/patron_lists/lists.pl 2. Click on new patron list 3. Add a text in the field Name that contains js 4. Save the page. 5. Notice js is execute 6. Apply patch and reload, the js is escaped Fixed in both the pages list.pl and list.pl?patron_list_id=xx xx is patronlist id Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt | 4 ++-- koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt index 956cc28e7f..c06997ab72 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/list.tt @@ -69,13 +69,13 @@ $(document).ready(function() { [% INCLUDE 'header.inc' %] [% INCLUDE 'cat-search.inc' %] - +
-

[% list.name %]

+

[% list.name |html %]

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt index fb60e2ee72..df890d6447 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/patron_lists/lists.tt @@ -87,7 +87,7 @@ [% FOREACH l IN lists %] - [% l.name %] + [% l.name |html %] [% l.patron_list_patrons_rs.count || 0 %]
-- 2.39.2