[koha-commits] main Koha release repository branch 3.18.x updated. v3.18.00-11-g70d28ef
Git repo owner
gitmaster at git.koha-community.org
Wed Dec 10 01:08:10 CET 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.18.x has been updated
via 70d28ef1b2cf01f75aa37ea8ba024462c87abde6 (commit)
from b28f439a582a5eafbdfb32b2890d6b069ec2df7c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 70d28ef1b2cf01f75aa37ea8ba024462c87abde6
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Wed Dec 10 12:47:30 2014 +1300
Bug 13425 - XSS in opac facets - Patch for master and 3.18
To Test
1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
It is important it must return results and facets
2/ Notice the js is executed
3/ Apply the patch test again
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Popup is gone after applying the patch. Facet link still shows it but does not execute. It's gone after clicking the link.
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-facets.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list