git.equinoxoli.org Git - koha.git/commit

author	Liz <wizzyrea@gmail.com>
	Mon, 5 Jan 2015 02:32:32 +0000 (02:32 +0000)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Fri, 23 Jan 2015 09:22:55 +0000 (10:22 +0100)
commit	4a80c0483ee87cde8a065c425a519a471ed6fcb3
tree	40da628cedbe1dfff75078b1325139cf01f8eed5	tree \| snapshot
parent	6dc24f69305b610d29549368748ad4072a986072	commit \| diff

Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves

A specially crafted url causes XSS in Koha

To test:

cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E

cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves

These should cause a popup without the patch. With the patch, no popup.

You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.

Signed-off-by: Chris <chris@bigballofwax.co.nz>

Fixes the two listed problems

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed patch fixes the problem.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
(cherry picked from commit 0718ced5e452a3d295597d1b5ef976a6772610eb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

Conflicts:
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt

koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt		diff \| blob \| history
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt		diff \| blob \| history