projects / koha.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch (parent: 1c82ddc)
Bug 14423 : XSS bug in lateorders
authorChris <chris@bigballofwax.co.nz>
Sun, 21 Jun 2015 08:18:20 +0000 (08:18 +0000)
committerFridolin Somers <fridolin.somers@biblibre.com>
Tue, 23 Jun 2015 12:28:08 +0000 (14:28 +0200)
1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 66dc4a9e7d2f11b97f1a4b0f76b5c485c3873683)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt patch | blob | history

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt
index c76cf2d..ba11284 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt
@@ -93,7 +93,7 @@ $(document).ready(function() {
 [% IF ( lateorders ) %]
 <form action="lateorders.pl" name="claim" method="post">
   <input type="hidden" name="op" value="send_alert" />
-  <input type="hidden" name="delay" value="[% delay %]" />
+  <input type="hidden" name="delay" value="[% delay | html%]" />
   <input type="hidden" name="booksellerid" value="[% booksellerid %]" />
        [% IF ( letters ) %]
        <p><label for="letter_code">Claim using notice: </label><select name="letter_code" id="letter_code">
@@ -195,10 +195,10 @@ $(document).ready(function() {
 <fieldset class="brief">
 <h4>Filter results:</h4>
 [% FOREACH ERROR_LOO IN ERROR_LOOP %]
-[% IF ( ERROR_LOO.delay_digits ) %]<p class="error">The number of days ([% ERROR_LOO.bad_delay %]) must be a number between 0 and 999.</p>[% END %]
+[% IF ( ERROR_LOO.delay_digits ) %]<p class="error">The number of days ([% ERROR_LOO.bad_delay | html %]) must be a number between 0 and 999.</p>[% END %]
 [% END %]
 <ol>
-    <li><label for="delay">Order date:</label><input size="3" maxlength="3" id="delay" type="text" name="delay" value="[% delay %]" /> days ago</li>
+    <li><label for="delay">Order date:</label><input size="3" maxlength="3" id="delay" type="text" name="delay" value="[% delay | html%]" /> days ago</li>
     <li><label for="from">Estimated delivery date from: </label>
         <input type="text" size="10" id="from" name="estimateddeliverydatefrom" value="[% estimateddeliverydatefrom %]" class="datepickerfrom" />
         <div class="hint">[% INCLUDE 'date-format.inc' %]</div>
Mirror of git://git.koha-community.org/koha.git