Some js variables are not properly escaped and can be executed if
containing javascript.
1. have some waiting reserve attached to a desk
2. change this desk name to : <script>alert("❤");</script>
3. go to user's checkout page (circulation.pl) and click on the
Hold(s) tab
4. you should see some popup with a ❤ in it.
5. apply patch and refresh page
6. now you should see the desk name printed properly in the page:
<script>alert("❤");</script>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
if ( oObj.waiting_here ) {
data += __("Item is <strong>waiting here</strong>");
if (oObj.desk_name) {
- data += ", " + __("at %s").format(oObj.desk_name);
+ data += ", " + __("at %s").format(oObj.desk_name.escapeHtml());
}
} else {
data += __("Item is <strong>waiting</strong>");
data += " " + __("at %s").format(oObj.waiting_at);
if (oObj.desk_name) {
- data += ", " + __("at %s").format(oObj.desk_name);
+ data += ", " + __("at %s").format(oObj.desk_name.escapeHtml());
}
}