projects / koha.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch (parent: dd93d0c)
Bug 16587 - opac-sendbasket.pl is open to XSS
authorChris Cormack <chris@bigballofwax.co.nz>
Wed, 25 May 2016 14:01:41 +0000 (14:01 +0000)
committerChris Cormack <chrisc@catalyst.net.nz>
Wed, 3 Aug 2016 20:29:28 +0000 (08:29 +1200)
To test
1/ Hit a url like
http://localhost:8080/cgi-bin/koha/opac-sendbasket.pl?email_add=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&bib_list=3

Where bib_list is a valid basket number
2/ Notice you get a javascript alert showing
3/ Apply patch
4/ Notice the text is now escaped

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt patch | blob | history

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt
index ad4ce33..20ce18c 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-sendbasketform.tt
@@ -14,7 +14,7 @@
                             [% IF ( SENT ) %]
                                 <h1>Message sent</h1>
                                 <div class="dialog dialog-success">
-                                    <p>The cart was sent to: [% email_add %]</p>
+                                    <p>The cart was sent to: [% email_add | html %]</p>
                                 </div>
                                 <p><a class="focus close" href="#">Close window</a></p>
                             [% END %]
Mirror of git://git.koha-community.org/koha.git