From f6bb532a9a5448ae1dba1a9b0fdaaa99f1271304 Mon Sep 17 00:00:00 2001 From: Katrin Fischer Date: Wed, 16 Aug 2017 12:59:13 +0200 Subject: [PATCH] Bug 19086 - Follow-up - XSS in supplier.tt In preparation: Make sure you enter in all fields of a new vendor that are not validated and save. 1) Access vendor summary page. 2) Verify scripts are executed 3) Apply patch 4) Verify scripts are on longer executed This works in combination with the other patches for XSS on this bug. Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart (cherry picked from commit 14a1aba57cc091a70c527a0d6bd495d21bd87345) Signed-off-by: Fridolin Somers (cherry picked from commit 13147e7c05daa73a4f562541c3a7f8c98747bc83) Signed-off-by: Katrin Fischer --- .../intranet-tmpl/prog/en/modules/acqui/supplier.tt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt index 5ce241a5f7..fbe5796a4e 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt @@ -57,7 +57,7 @@ [% END %] [% BLOCK show_contact %] -

[% contact.name %]

+

[% contact.name |html %]

Position: [% contact.position |html %]

Phone: [% contact.phone |html %]

Alternative phone: [% contact.altphone |html %]

@@ -169,7 +169,7 @@ function delete_contact(ev) { [% INCLUDE 'header.inc' %] [% INCLUDE 'acquisitions-search.inc' %] - +
@@ -178,7 +178,7 @@ function delete_contact(ev) {
[% IF ( enter ) %] [% IF ( booksellerid ) %] -

Update: [% name %]

+

Update: [% name |html %]

[% ELSE %]

Add vendor

[% END %] @@ -318,11 +318,11 @@ function delete_contact(ev) {
[% ELSE %] -

[% name %]

+

[% name |html %]

Vendor details

-

Company name: [% name %]

+

Company name: [% name |html %]

Postal address: [% postal |html %]

Physical address: [% address1 |html %][% address2 |html %][% address3 |html %][% address4 |html %]

Phone: [% phone |html %]

-- 2.39.5