https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14962 --- Comment #106 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 194307 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=194307&action=edit Bug 14962: (QA follow-up) Fix stored XSS in display_name rendering in item table display_name was concatenated directly into an HTML string via .format() with no escaping. A display name containing HTML/JS would execute as stored XSS for all staff viewing item details. Use jQuery DOM construction instead so display_name is treated as text, not markup. Sponsored-by: ByWater Solutions Signed-of-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.