Bug 19086: Fix Stored XSS in subscription-detail.pl

Add script to the callnumber field on adding a subscription.

Verify script is executed without this patch, but not with it.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt

@@ -117,7 +117,7 @@ $(document).ready(function() {
     <div class="rows">
         <ol>
         [% IF ( location ) %]<li><span class="label">Location:</span> [% location %]</li>[% END %]
-        [% IF ( callnumber ) %]<li><span class="label">Call number:</span> [% callnumber %]</li>[% END %]
+        [% IF ( callnumber ) %]<li><span class="label">Call number:</span> [% callnumber |html %]</li>[% END %]
 		[% IF ( staffdisplaycount ) %]<li><span class="label">Number of issues to display to staff:</span>[% staffdisplaycount %]</li>[% END %]
         [% IF ( opacdisplaycount ) %]<li><span class="label">Number of issues to display in OPAC:</span>[% opacdisplaycount %]</li>[% END %]
         [% IF ( letter ) %]