To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script> Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
[% IF ( edit ) %]
<form method="post" action="/cgi-bin/koha/opac-shelves.pl">
<input type="hidden" name="op" value="modifsave" />
- <input type="hidden" name="display" value="[% display %]" />
+ <input type="hidden" name="display" value="[% display |html %]" />
<input type="hidden" name="shelfnumber" value="[% shelfnumber | html %]" />
<fieldset class="rows">
<legend>Editing <em>[% shelfname |html %]</em></legend>