Bug 19333: Fix XSS in opac-shelves

author Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Mon, 18 Sep 2017 17:53:41 +0000 (14:53 -0300)

committer Katrin Fischer <katrin.fischer.83@web.de>

Sun, 22 Oct 2017 21:57:57 +0000 (21:57 +0000)
author Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mon, 18 Sep 2017 17:53:41 +0000 (14:53 -0300)
committer Katrin Fischer <katrin.fischer.83@web.de>
Sun, 22 Oct 2017 21:57:57 +0000 (21:57 +0000)
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt

index e4dde34..17e0924 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
@@ -178,7 +178,7 @@
                                         <form method="get" action="/cgi-bin/koha/opac-shelves.pl" class="form-inline">
                                             <input type="hidden" name="op" value="edit_form" />
                                             <input type="hidden" name="referer" value="view" />
-                                            <input type='hidden' name='category' value='[% category %]' />
+                                            <input type='hidden' name='category' value='[% category | html %]' />
                                             <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
                                             <input type="submit" class="editshelf" value="Edit list" />
                                         </form>
@@ -186,7 +186,7 @@
                                         <form method="post" action="/cgi-bin/koha/opac-shelves.pl" class="form-inline">
                                             <input type="hidden" name="op" value="delete" />
                                             <input type="hidden" name="referer" value="list" />
-                                            <input type='hidden' name='category' value='[% category %]' />
+                                            <input type='hidden' name='category' value='[% category | html %]' />
                                             <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
                                             <input type="submit" class="deleteshelf" value="Delete list" onclick="return confirmDelete(MSG_CONFIRM_DELETE_LIST);"/>
                                         </form>
@@ -197,7 +197,7 @@
                                         <form action="/cgi-bin/koha/opac-shelves.pl" method="post" class="form-inline">
                                             <input type="hidden" name="op" value="remove_share" />
                                             <input type="hidden" name="referer" value="list" />
-                                            <input type='hidden' name='category' value='[% category %]' />
+                                            <input type='hidden' name='category' value='[% category | html %]' />
                                             <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
                                             <input type="submit" class="deleteshelf" onclick="return confirmDelete(MSG_CONFIRM_REMOVE_SHARE);" value="Remove share" />
                                         </form>
@@ -701,7 +701,7 @@
                                                         <form action="/cgi-bin/koha/opac-shelves.pl" method="post" class="form-inline">
                                                             <input type="hidden" name="op" value="delete" />
                                                             <input type="hidden" name="referer" value="list" />
-                                                            <input type='hidden' name='category' value='[% category %]' />
+                                                            <input type='hidden' name='category' value='[% category | html %]' />
                                                             <input type="hidden" name="shelfnumber" value="[% s.shelfnumber | html %]" />
                                                             <input type="submit" class="deleteshelf" onclick="return confirmDelete(MSG_CONFIRM_DELETE_LIST);" value="Delete" />
                                                         </form>
@@ -713,7 +713,7 @@
                                                         <form action="opac-shelves.pl" method="post" class="form-inline">
                                                             <input type="hidden" name="op" value="remove_share" />
                                                             <input type="hidden" name="referer" value="list" />
-                                                            <input type='hidden' name='category' value='[% category %]' />
+                                                            <input type='hidden' name='category' value='[% category | html %]' />
                                                             <input type="hidden" name="shelfnumber" value="[% s.shelfnumber | html %]" />
                                                             <input type="submit" class="deleteshelf" onclick="return confirmDelete(MSG_CONFIRM_REMOVE_SHARE);" value="Remove share" />
                                                         </form>
author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Mon, 18 Sep 2017 17:53:41 +0000 (14:53 -0300)
committer	Katrin Fischer <katrin.fischer.83@web.de>
	Sun, 22 Oct 2017 21:57:57 +0000 (21:57 +0000)