From 950fc8e101886821879066b33e389a47fb0a9782 Mon Sep 17 00:00:00 2001 From: Kyle M Hall Date: Thu, 14 Sep 2017 11:52:08 -0400 Subject: [PATCH] Bug 19319: Reflected XSS Vulnerability in opac-MARCdetail.pl Try going to this URL on your site: /cgi-bin/koha/opac-MARCdetail.pl?biblionumber=2"> Test Plan: 1) Go to /cgi-bin/koha/opac-MARCdetail.pl?biblionumber=2"> 2) Note is embedded all over the html 3) Apply this patch 4) Refresh the page, note the injection is gone! 5) run koha qa test tools Signed-off-by: Mark Tompsett Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart Signed-off-by: Jonathan Druart --- .../en/includes/opac-detail-sidebar.inc | 14 ++++---- .../bootstrap/en/modules/opac-ISBDdetail.tt | 2 +- .../bootstrap/en/modules/opac-MARCdetail.tt | 12 +++---- .../bootstrap/en/modules/opac-detail.tt | 34 +++++++++---------- opac/opac-ISBDdetail.pl | 6 ++-- opac/opac-MARCdetail.pl | 2 +- opac/opac-detail.pl | 4 +-- 7 files changed, 38 insertions(+), 36 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc index 5e96b0f6bf..7ceaa9590e 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc +++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc @@ -4,7 +4,7 @@ [% IF Koha.Preference( 'opacuserlogin' ) == 1 %] [% IF Koha.Preference( 'RequestOnOpac' ) == 1 %] [% IF ( AllowOnShelfHolds OR ItemsIssued ) %] -
  • Place hold
  • +
  • Place hold
  • [% END %] [% END %] [% END %] @@ -14,21 +14,21 @@ [% IF Koha.Preference( 'opacuserlogin' ) == 1 %] [% IF Koha.Preference('ArticleRequests') %] -
  • Request article
  • +
  • Request article
  • [% END %] [% END %] [% IF Koha.Preference( 'virtualshelves' ) == 1 %] [% IF ( ( Koha.Preference( 'opacuserlogin' ) == 1 ) && loggedinusername ) %] -
  • Save to your lists
  • +
  • Save to your lists
  • [% END %] [% END %] [% IF Koha.Preference( 'opacbookbag' ) == 1 %] [% IF ( incart ) %] -
  • In your cart (remove)
  • +
  • In your cart (remove)
  • [% ELSE %] -
  • Add to your cart
  • +
  • Add to your cart
  • [% END %] [% END %] @@ -51,7 +51,7 @@
  • Dublin Core
  • [% ELSE %]
  • - + [% SWITCH option %] [% CASE 'bibtex' %]BIBTEX [% CASE 'endnote' %]EndNote @@ -107,7 +107,7 @@
    - +