 |   | |
| HomePrev | Part II. Evergreen 3.3 Release Notes | Next |
|---|
Table of Contents
This release is a security release that fixes cross-site scripting (XSS) vulnerabilities in the Evergreen public catalog. This release also includes several other bugfixes improving on Evergreen 3.3.3.
This release fixes several cross-site scripting (XSS) vulnerabilities
in the public catalog. When upgrading, Evergreen administrators should
review whether any of the following templates have been customized
or overridden. If so, either the template should be replaced with the
stock version or the XSS fix (which entails adding the | html filter
in several places) applied to the customized version.
Open-ILS/src/templates/opac/browse.tt2
Open-ILS/src/templates/opac/parts/ebook_api/base_js.tt2
Open-ILS/src/templates/opac/parts/header.tt2
Open-ILS/src/templates/opac/parts/place_hold.tt2
Open-ILS/src/templates/opac/parts/place_hold_result.tt2
Open-ILS/src/templates/opac/parts/result/adv_filter.tt2
They should also review the following templates. If these templates have
been customized or overridden, either the template should be replaced with
the stock version or the XSS fix (which entails adding rel="nofollow to
external links) applied to the customized version.
Open-ILS/src/templates/opac/parts/record/summary.tt2
Open-ILS/src/templates/opac/parts/result/table.tt2
To report a problem with this documentation or provide feedback, please contact the DIG mailing list.
© 2008-2015 GPLS and others. The Evergreen Project is a member of the Software Freedom Conservancy.
