]> git.koha-community.org Git - koha.git/commit
Bug 19114 - Stored XSS in parcels.pl
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Tue, 15 Aug 2017 15:28:34 +0000 (20:58 +0530)
committerKatrin Fischer <katrin.fischer.83@web.de>
Sun, 20 Aug 2017 13:36:26 +0000 (15:36 +0200)
commita2c6cd77d2b84caf4767826a89404dc1e90b473c
treef70118b08386692985d2c2bfddbb2003537c658a
parenta2aaa3383e531839a06e71d90ce8fb9f753a8561
Bug 19114 - Stored XSS in parcels.pl

Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
   xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/orderreceive.tt
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcel.tt
koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcels.tt