[Koha-bugs] [Bug 26592] XSS vulnerability when ysearch is used
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Mar 18 15:05:29 CET 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26592
Didier Gautheron <didier.gautheron at biblibre.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |didier.gautheron at biblibre.c
| |om
--- Comment #25 from Didier Gautheron <didier.gautheron at biblibre.com> ---
There's a fix in 20.05 git not in these patches which could be backport to
19.11:
commit f67bd64dee422f380824a5520e7a383e3888da97
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/js_includes.inc
@@ -103,11 +103,11 @@
var cardnumber = "";
if( item.cardnumber != "" ){
// Display card number in parentheses if it exists
- cardnumber = " (" + ( item.cardnumber ?
item.surname.escapeHtml() : "" ) + ") ";
+ cardnumber = " (" + ( item.cardnumber ?
item.cardnumber.escapeHtml() : "" ) + ") ";
}
ie use cardnumber not surname if there's a cardnumber.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list