[Koha-patches] [PATCH] Bug 6632 [Signed Off] add html filter to prevent XSS
Liz Rea
lrea at nekls.org
Wed Jul 27 21:04:11 CEST 2011
From: Frère Sébastien Marie <semarie-koha at latrappe.fr>
The filter 'html' have been added on all occurences of shelvename, which come from user input.
http://bugs.koha-community.org/show_bug.cgi?id=6632
Signed-off-by: Liz Rea <lrea at nekls.org>
---
.../prog/en/modules/virtualshelves/shelves.tt | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
index 103757c..3e2b3d9 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
@@ -1,5 +1,5 @@
[% INCLUDE 'doc-head-open.inc' %]
-<title>Koha › [% IF ( viewshelf ) %]Lists › Contents of [% shelfname %][% ELSE %]Lists[% END %][% IF ( shelves ) %] › Create New List[% END %][% IF ( edit ) %] › Edit List [% shelfname %][% END %]</title>
+<title>Koha › [% IF ( viewshelf ) %]Lists › Contents of [% shelfname | html %][% ELSE %]Lists[% END %][% IF ( shelves ) %] › Create New List[% END %][% IF ( edit ) %] › Edit List [% shelfname | html %][% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
<script type="text/javascript" src="[% themelang %]/lib/jquery/plugins/jquery.checkboxes.min.js"></script>
<script type="text/javascript">
@@ -116,7 +116,7 @@ function placeHold () {
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> › <a href="/cgi-bin/koha/virtualshelves/shelves.pl">Lists</a>
-[% IF ( viewshelf ) %]› Contents of <i>[% shelfname %]</i>[% END %][% IF ( shelves ) %] › Create New List[% END %][% IF ( edit ) %] › Edit List <i>[% shelfname %]</i>[% END %]</div>
+[% IF ( viewshelf ) %]› Contents of <i>[% shelfname | html %]</i>[% END %][% IF ( shelves ) %] › Create New List[% END %][% IF ( edit ) %] › Edit List <i>[% shelfname | html %]</i>[% END %]</div>
<div id="doc" class="yui-t7">
<div id="bd">
@@ -159,7 +159,7 @@ function placeHold () {
<input type="hidden" name="viewshelf" value="[% shelfnumber %]" />
<input type="hidden" name="modifyshelfcontents" value="1" />
<fieldset>
- <legend>Contents of <i>[% shelfname %]</i></legend>
+ <legend>Contents of <i>[% shelfname | html %]</i></legend>
[% IF ( manageshelf ) %]
<p><span class="checkall"></span> |
@@ -226,7 +226,7 @@ function placeHold () {
<div class="yui-g">
<form action="/cgi-bin/koha/virtualshelves/shelves.pl" method="post">
<fieldset class="brief">
- <legend>Add an item to <i>[% shelfname %]</i></legend>
+ <legend>Add an item to <i>[% shelfname | html %]</i></legend>
<ol>
<li>
<label for="addbarcode">Barcode:</label>
@@ -242,7 +242,7 @@ function placeHold () {
[% END %]<!-- /manageshelf -->
[% IF ( debug ) %]
- [% IF ( edit ) %]<div>Edit is on ([% shelfname %])</div>[% END %]
+ [% IF ( edit ) %]<div>Edit is on ([% shelfname | html %])</div>[% END %]
[% IF ( seflag ) %]<div>seflag is on ([% seflag %])</div>[% END %]
[% END %]
@@ -276,7 +276,7 @@ function placeHold () {
<input type="hidden" name="op" value="modifsave" />
[% IF ( showprivateshelves ) %]<input type="hidden" name="display" value="privateshelves" />[% END %]
<input type="hidden" name="shelfnumber" value="[% shelfnumber %]" />
- <legend>Edit List <i>[% shelfname %]</i></legend>
+ <legend>Edit List <i>[% shelfname | html %]</i></legend>
<ol>
<li><label for="shelfname">Name: </label><input type="text" id="shelfname" name="shelfname" size="25" value='[% shelfname |html %]' /></li>
<li><label for="owner">Owner: </label><input type="hidden" id="owner" name="owner" value="[% IF ( owner ) %][% ownername %][% ELSE %][% loggedinusername %][% END %]" />[% IF ( owner ) %][% ownername %][% ELSE %][% loggedinusername %][% END %]</li>
--
1.7.2.5
More information about the Koha-patches
mailing list