Test plan:
1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit
8a20bfe5ea8930bc331ad3c6f5f268ee13f8d8a0)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
</tr>
[% FOREACH loop_supplier IN loop_suppliers %]
<tr>
- <td>[% loop_supplier.name %]</td>
- <td><a class="btn btn-mini select_vendor" href="#" data-vendorid="[% loop_supplier.aqbooksellerid %]" data-vendorname="[% loop_supplier.name |html%]">Choose</a></td>
+ <td>[% loop_supplier.name |html %]</td>
+ <td><a class="btn btn-default btn-xs select_vendor" href="#" data-vendorid="[% loop_supplier.aqbooksellerid %]" data-vendorname="[% loop_supplier.name |html%]">Choose</a></td>
</tr>
[% END %]
</table>
<ol>
<li><span class="label">Subscription ID: </span>[% subscriptionid %]</li>
<li><span class="label">Librarian identity:</span> [% librarian %]</li>
- <li><span class="label">Vendor:</span> <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% aqbooksellerid %]">[% aqbooksellername %]</a></li>
+ <li><span class="label">Vendor:</span> <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% aqbooksellerid %]">[% aqbooksellername |html %]</a></li>
<li><span class="label">Biblio:</span> <a href="/cgi-bin/koha/catalogue/[% default_bib_view %].pl?biblionumber=[% bibnum %]">[% bibliotitle %]</a> <i>([% bibnum %])</i></li>
[% IF ( OPACBaseURL ) %]
<li>
projects / koha.git / commitdiff