]> git.koha-community.org Git - koha.git/commit
Bug 14416: Stored XSS vulnerability
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 23:26:02 +0000 (11:26 +1200)
committerChris Cormack <chrisc@catalyst.net.nz>
Mon, 22 Jun 2015 21:41:39 +0000 (09:41 +1200)
commit20910660a27f61307153afa05c13d67b1b5e91af
tree8b02aa4fe0b8404a316a1edcbcd75295f583563c
parent1316436e269eec4836e0f999f62009ce41bcc08f
Bug 14416: Stored XSS vulnerability

opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.

To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit fb51a4bb0f3ac8b42b53579fe3d6d73d0b3438cd)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt