To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert
Note that the cardnumber var was not escaped neither, it's now.
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
[% IF ( COUNT.TCOUNTS ) %]<li>[% COUNT.TCOUNTS %] image(s) moved into the database:</li>[% END %]
[% FOREACH filename IN COUNT.filenames %]
<tr>
- <td>[% filename.source %]</td>
- <td><a href="/cgi-bin/koha/circ/circulation.pl?findborrower=[% filename.cardnumber %]">[% filename.cardnumber %]</a></td>
+ <td>[% filename.source | html %]</td>
+ <td><a href="/cgi-bin/koha/circ/circulation.pl?findborrower=[% filename.cardnumber | url %]">[% filename.cardnumber | html %]</a></td>
<td>
[% IF ( filename.filerrors ) %]
[% FOREACH filerror IN filename.filerrors %]