Here is a branch in the security repo: user/sandbergja/lp2019157-reflected-xss-in-orgselect
Steps to test, from the commit message:
1. If you don't already have a library group, go to Admin > Server > Library Groups and make one that is Global.
2. In your browser, go to [your_domain]/eg/opac/home?locg='><script>alert('bad bad bad')</script>
3. Note that the site executes javascript code that is passed in via the URL.
4. Apply this patch
5. Repeat step 2.
6. Note that the arbitrary js does not get run anymore.
7. Confirm that library group searching still works as expected.
Here is a branch in the security repo: user/sandbergja /lp2019157- reflected- xss-in- orgselect
Steps to test, from the commit message:
1. If you don't already have a library group, go to Admin > Server > Library Groups and make one that is Global. /eg/opac/ home?locg= '><script> alert(' bad bad bad')</script>
2. In your browser, go to [your_domain]
3. Note that the site executes javascript code that is passed in via the URL.
4. Apply this patch
5. Repeat step 2.
6. Note that the arbitrary js does not get run anymore.
7. Confirm that library group searching still works as expected.