[koha-commits] main Koha release repository branch 3.18.x updated. v3.18.00-11-g70d28ef

Git repo owner gitmaster at git.koha-community.org
Wed Dec 10 01:08:10 CET 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 3.18.x has been updated
       via  70d28ef1b2cf01f75aa37ea8ba024462c87abde6 (commit)
      from  b28f439a582a5eafbdfb32b2890d6b069ec2df7c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 70d28ef1b2cf01f75aa37ea8ba024462c87abde6
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date:   Wed Dec 10 12:47:30 2014 +1300

    Bug 13425 - XSS in opac facets - Patch for master and 3.18
    
    To Test
    1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
    
    It is important it must return results and facets
    
    2/ Notice the js is executed
    3/ Apply the patch test again
    
    Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
    Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link.
    Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
main Koha release repository


More information about the koha-commits mailing list