From 50dcae4b504a4a54a830ae87848ba3fa5161ad57 Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 11 Aug 2017 19:54:34 +0000 Subject: [PATCH] Bug 19086: Fix Stored XSS in circulation.pl 1/ To test add a message to a borrower that contains js 2/ hit /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] where number is the borrowernumber of the borrower you set the message for 3/ Notice js is execute 4/ Apply patch, reload, js is escaped Signed-off-by: Amit Gupta Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt index ffe414bb55..95e24a33f6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt @@ -906,7 +906,7 @@ No patron matched [% message | html %] [% IF message.manager_id %] ( [% message.get_column('manager_firstname') %] [% message.get_column('manager_surname') %] ) [% END %] - "[% message.message %]" + "[% message.message | html %]" [% IF message.branchcode == branch OR Koha.Preference('AllowAllMessageDeletion') %] Delete -- 2.39.5