[koha-commits] main Koha release repository branch 16.11.x updated. v16.11.15-7-ga90197e

Git repo owner gitmaster at git.koha-community.org
Thu Feb 22 20:10:04 CET 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, 16.11.x has been updated
       via  a90197ebbb6f946ea4caefd7917fb4ff3ecefaa2 (commit)
       via  9ae84a513072b742013c391f2e3622c7c3e627f9 (commit)
      from  04ced01839f6792fdab1bca5a6327e524ca863ea (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a90197ebbb6f946ea4caefd7917fb4ff3ecefaa2
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date:   Wed Nov 29 15:24:40 2017 -0300

    Bug 19560: Correctly escape branchcode in admin/branches.pl
    
    Signed-off-by: Owen Leonard <oleonard at myacpl.org>
    
    Signed-off-by: Josef Moravec <josef.moravec at gmail.com>
    
    Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
    
    Signed-off-by: Nick Clemens <nick at bywatersolutions.com>
    (cherry picked from commit d9735ae0d8aff9ca405674df3d2b03183e0883b6)
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
    (cherry picked from commit a69b874ee64737c7bbd59aa739e981b3fe61a944)
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

commit 9ae84a513072b742013c391f2e3622c7c3e627f9
Author: Josef Moravec <josef.moravec at gmail.com>
Date:   Sun Dec 3 22:21:57 2017 +0000

    Bug 19738: Fix XSS on vendor name in serials module
    
    Test plan:
    
    1) do not apply this patch
    2) Have at least one vendor which name does contain javascript, for
    example: <i>Vendor 1</i><script>alert('Hi');</script>
    3) go to serial module and create new subscription
    4) use "Search for vendor"
    5) Search for your vendor, when search results table is presented, the
    javascript is executed
    6) go through subscription creation and save the new subscription
    7) On subscription detail page, the javascript is executed as well
    8) apply this patch
    9) Repeat 3-7, the script is not executed, the input is escaped
    
    Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
    
    Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
    Signed-off-by: Fridolin Somers <fridolin.somers at biblibre.com>
    (cherry picked from commit 8a20bfe5ea8930bc331ad3c6f5f268ee13f8d8a0)
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 .../prog/en/modules/admin/branches.tt              |   20 ++++++++++----------
 .../prog/en/modules/serials/acqui-search-result.tt |    4 ++--
 .../prog/en/modules/serials/subscription-detail.tt |    2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list