From 7cb27f092a4c699fcd428083383eef6f515da3e3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 2 Aug 2016 14:15:09 +0100 Subject: [PATCH] Bug 17023: Fix XSS in acqui/z3950_search.pl MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Test plan: Enter the following in the different inputs: => Without this patch you will see the alert => With this patch, no more alert Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Brendan Gallagher (cherry picked from commit eb543a90848b97d35aa15052c8881134926a3ed0) Signed-off-by: Frédéric Demians --- .../prog/en/modules/acqui/z3950_search.tt | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt index f2ce9dda4c..acd10d3520 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/z3950_search.tt @@ -51,7 +51,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color : [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
@@ -64,11 +64,11 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
  1. -
  2. +
  3. -
  4. -
  5. +
  6. +
  7. @@ -86,9 +86,9 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
  8. Clear search form
- - - + + +

Search targets Select all | Clear all

@@ -108,7 +108,7 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :
-
Cancel
+
Cancel
@@ -116,14 +116,14 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color :

Search results

You searched for: - [% IF ( title ) %]Title: [% title %] [% END %] - [% IF ( author ) %]Author: [% author %] [% END %] - [% IF ( isbn ) %]ISBN: [% isbn %] [% END %] - [% IF ( issn ) %]ISSN: [% issn %] [% END %] - [% IF ( lccall ) %]LC call number: [% lccall %] [% END %] - [% IF ( subject ) %]Subject heading: [% subject %] [% END %] - [% IF ( controlnumber ) %]Control no: [% controlnumber %] [% END %] - [% IF ( dewey ) %]Dewey: [% dewey %] [%END %] + [% IF ( title ) %]Title: [% title | html %] [% END %] + [% IF ( author ) %]Author: [% author | html %] [% END %] + [% IF ( isbn ) %]ISBN: [% isbn | html %] [% END %] + [% IF ( issn ) %]ISSN: [% issn | html %] [% END %] + [% IF ( lccall ) %]LC call number: [% lccall | html %] [% END %] + [% IF ( subject ) %]Subject heading: [% subject | html %] [% END %] + [% IF ( controlnumber ) %]Control no: [% controlnumber | html %] [% END %] + [% IF ( dewey ) %]Dewey: [% dewey | html %] [%END %]

[% IF ( breeding_loop ) %] @@ -141,13 +141,13 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color : [% IF ( breeding_loo.breedingid ) %] - [% breeding_loo.server %] + [% breeding_loo.server %] [% breeding_loo.title |html %] [% breeding_loo.author %] [% breeding_loo.isbn %] [% breeding_loo.lccn %] MARC | Card - Order + Order [% END %] @@ -172,16 +172,16 @@ tr.selected { background-color : #FFFFCC; } tr.selected td { background-color : - - - - - - - - - - + + + + + + + + + + [% FOREACH server IN servers %] -- 2.39.5