opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.
To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
<label for="shelfnumber">Add to list:</label> <select name="shelfnumber" id="shelfnumber">
[% IF ( privatevirtualshelves ) %]<optgroup label="Private Lists">
[% FOREACH privatevirtualshelve IN privatevirtualshelves %]
- <option value="[% privatevirtualshelve.shelfnumber %]">[% privatevirtualshelve.shelfname %]</option>
+ <option value="[% privatevirtualshelve.shelfnumber %]">[% privatevirtualshelve.shelfname | html%]</option>
[% END %]
</optgroup>[% END %]
[% IF ( publicvirtualshelves ) %]<optgroup label="Public Lists">
[% FOREACH publicvirtualshelve IN publicvirtualshelves %]
- <option value="[% publicvirtualshelve.shelfnumber %]">[% publicvirtualshelve.shelfname %]</option>
+ <option value="[% publicvirtualshelve.shelfnumber %]">[% publicvirtualshelve.shelfname |html%]</option>
[% END %]
</optgroup>[% END %]
</select>