projects / koha.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch (parent: 7e0c35e)
Bug 19614: Fix XSS in members/pay.pl
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Mon, 13 Nov 2017 03:57:44 +0000 (08:57 +0530)
committerChris Cormack <chrisc@catalyst.net.nz>
Wed, 20 Dec 2017 23:58:08 +0000 (12:58 +1300)
To Test
1. Hit the page /cgi-bin/koha/members/memberentry.pl
2. Add a text in the field firstname, surname that contains js
3. Save the page.
4. click on fine tab
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt patch | blob | history

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
index 092cc0d..6a3e902 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
@@ -3,7 +3,7 @@
 [% USE Branches %]
 [% USE Price %]
 [% INCLUDE 'doc-head-open.inc' %]
-<title>Koha &rsaquo; Patrons &rsaquo; Pay Fines for  [% borrower.firstname %] [% borrower.surname %]</title>
+<title>Koha &rsaquo; Patrons &rsaquo; Pay Fines for  [% borrower.firstname |html %] [% borrower.surname |html %]</title>
 [% INCLUDE 'doc-head-close.inc' %]
 <script type="text/javascript" src="[% interface %]/lib/jquery/plugins/jquery.checkboxes.min.js"></script>
 <script type= "text/javascript">
@@ -48,7 +48,7 @@ function enableCheckboxActions(){
 [% INCLUDE 'header.inc' %]
 [% INCLUDE 'patron-search.inc' %]
 
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a>  &rsaquo; Pay fines for [% borrower.firstname %] [% borrower.surname %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a>  &rsaquo; Pay fines for [% borrower.firstname |html %] [% borrower.surname |html %]</div>
 
 <div id="doc3" class="yui-t2">
    
@@ -168,7 +168,7 @@ function enableCheckboxActions(){
 </fieldset>
 </form>
 [% ELSE %]
-    <p>[% borrower.firstname %] [% borrower.surname %] has no outstanding fines.</p>
+    <p>[% borrower.firstname |html %] [% borrower.surname |html %] has no outstanding fines.</p>
 [% END %]
 </div></div>
 
Mirror of git://git.koha-community.org/koha.git