Bug 19051 - XSS Flaws in - Batch record deletion page

1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt
index 58249ee..20777c8 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batch_delete_records.tt
@@ -104,9 +104,9 @@ $(document).ready(function() {
       <div class="dialog error" style="margin:auto;">
     [% END %]
     [% IF message.code == 'biblio_not_exists' %]
-      The biblionumber [% message.biblionumber %] does not exist in the database.
+      The biblionumber [% message.biblionumber |html %] does not exist in the database.
     [% ELSIF message.code == 'authority_not_exists' %]
-      The authority id [% message.authid %] does not exist in the database.
+      The authority id [% message.authid |html %] does not exist in the database.
     [% ELSIF message.code == 'item_issued' %]
       At least one item is checked out on bibliographic record [% message.biblionumber %].
     [% ELSIF message.code == 'reserve_not_cancelled' %]