This release is a security release that fixes cross-site scripting (XSS) vulnerabilities in the Evergreen public catalog. This release also includes several other bugfixes improving on Evergreen 3.0.5.
This release fixes several cross-site scripting (XSS) vulnerabilities
in the public catalog. When upgrading, Evergreen administrators should
review whether any of the following templates have been customized
or overridden. If so, either the template should be replaced with the
stock version or the XSS fix (which entails adding the | html
filter
in several places) applied to the customized version.
Open-ILS/src/templates/opac/parts/record/contents.tt2
Open-ILS/src/templates/opac/parts/record/copy_counts.tt2
Open-ILS/src/templates/opac/parts/record/issues-mfhd.tt2
Note that exploiting the XSS vulnerabilities fixed in this release would require either the ability to create maliciously-constructed MARC bibliographic or holdings records or the ability to set a maliciously constructed organizational unit name.