From ec85c6b0a23088e91922c0b095f39bfbca2f4456 Mon Sep 17 00:00:00 2001 From: Amit Gupta Date: Tue, 15 Aug 2017 14:10:43 +0530 Subject: [PATCH] Bug 19108: Fix Stored XSS in fieldmapping.pl To Test 1. Hit the page /cgi-bin/koha/admin/fieldmapping.pl 2. Add a text in the field Field name that contains js 3. Save the page. 4. Notice js is execute 5. Apply patch and reload, the js is escaped Signed-off-by: Katrin Fischer Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt index d1827503e7..238555a1b5 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/fieldmapping.tt @@ -69,7 +69,7 @@ $(document).ready(function() { [% FOREACH field IN fields %] - [% field.field %] + [% field.field |html %] [% field.fieldcode %] [% field.subfieldcode %] Delete -- 2.39.5