https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14962
--- Comment #66 from Martin Renvoize (ashimema) <[email protected]> --- Created attachment 193741 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193741&action=edit Bug 14962: (QA follow-up) Fix stored XSS in display_name rendering in item table display_name was concatenated directly into an HTML string via .format() with no escaping. A display name containing HTML/JS would execute as stored XSS for all staff viewing item details. Use jQuery DOM construction instead so display_name is treated as text, not markup. Sponsored-by: ByWater Solutions Signed-of-by: Martin Renvoize <[email protected]> -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
