From 99d327a5ea039b98f2bb19a3ef29431b33437cb7 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Sun, 12 Nov 2017 21:14:41 +0530 Subject: [PATCH] Bug 19611: Fix XSS Flaws in supplier.pl Test 1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter 2. Add a text in the field Name that contains java script 3. Save the page. 4. Notice js is execute 5. Apply patch and reload the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Josef Moravec Signed-off-by: Jonathan Druart Signed-off-by: Nick Clemens --- koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt | 2 +- koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt index e8acf39696..43b43a2bfa 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt @@ -100,7 +100,7 @@ $(document).ready(function() { [% END %] [% IF (supplier.name) %] - [% supplier.name %] + [% supplier.name |html %] [% ELSE %] NO NAME [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt index 085875f4f2..07954a39af 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt @@ -169,7 +169,7 @@ function delete_contact(ev) { [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
-- 2.39.5