[Koha-bugs] [Bug 24412] Attach waiting hold to desk
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Nov 5 14:58:43 CET 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24412
--- Comment #113 from Nicolas Legrand <nicolas.legrand at bulac.fr> ---
Created attachment 113116
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=113116&action=edit
Bug 24412: (follow-up) prevent js injection
Some js variables are not properly escaped and can be executed if
containing javascript.
1. have some waiting reserve attached to a desk
2. change this desk name to : <script>alert("❤");</script>
3. go to user's checkout page (circulation.pl) and click on the
Hold(s) tab
4. you should see some popup with a ❤ in it.
5. apply patch and refresh page
6. now you should see the desk name printed properly in the page:
<script>alert("❤");</script>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list