https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38921
Bug ID: 38921
Summary: Remove unused href from Cancel hold link
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5 - low
Component: Templates
Assignee: oleon...@myacpl.org
Reporter: p...@chetcolibrary.org
QA Contact: testo...@bugs.koha-community.org
Depends on: 34478
We use koha-tmpl/intranet-tmpl/prog/en/includes/holds_table.inc to display the
list of existing holds in reserve/request.pl when you are placing a hold. The
cancel button-links are JavaScript-only, showing a confirm modal and then
POSTing a form from there, since the op is cud-cancel and has to be a POST.
But we left behind a pre-CSRF href attribute which is a double false-positive
for me, since it has both op=cancel and uses the Template Toolkit html filter
rather than the uri filter for things inserted in a URL parameter. You can see
that it doesn't do anything by right-clicking and opening it in a new tab -
there's no op named cancel, so it just displays the existing holds and lets you
add one, repeating the page you opened the link from, only with garbage after
the request.pl? in your URL.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34478
[Bug 34478] Full CSRF protection
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
