Bug 19128: Fix Stored XSS in patron-attr-types.pl, authorised_values.pl and categories.pl

Preparation:
- Add a branch with script in the branch name
- Add a patron category with script in the category name
- Add a new authorised value cateogory with script
- Add a new authroised value for this category with script
  in all possible fields

- Test editing patron categories
- Test editing patron attribute types
- Test viewing and editing authorised values

Verify that with this script there is no more script executed
and everything works fine.

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

koha-tmpl/intranet-tmpl/prog/en/modules/admin/authorised_values.tt

@@ -109,9 +109,9 @@ $(document).ready(function() {
                 <option value="">All libraries</option>
                 [% FOREACH branch IN branches_loop %]
                   [% IF ( branch.selected ) %]
-                    <option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
+                    <option selected="selected" value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
                   [% ELSE %]
-                    <option value="[% branch.branchcode %]">[% branch.branchname %]</option>
+                    <option value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
                   [% END %]
                 [% END %]
             </select>
@@ -164,7 +164,7 @@ $(document).ready(function() {
 [% IF op == 'list' %]
 
 <div id="toolbar" class="btn-toolbar">
-    <a id="addauth" class="btn btn-default btn-sm" href= "/cgi-bin/koha/admin/authorised_values.pl?op=add_form&amp;category=[% category %]"><i class="fa fa-plus"> </i> New authorized value for [% category %]</a>
+    <a id="addauth" class="btn btn-default btn-sm" href= "/cgi-bin/koha/admin/authorised_values.pl?op=add_form&amp;category=[% category %]"><i class="fa fa-plus"> </i> New authorized value for [% category |html %]</a>
     <a id="addcat" class="btn btn-default btn-sm" href= "/cgi-bin/koha/admin/authorised_values.pl?op=add_form"><i class="fa fa-plus"> </i> New category</a>
 </div>
 
@@ -207,9 +207,9 @@ $(document).ready(function() {
   <select name="searchfield" id="searchfield" size="1">
   [% FOR c IN categories %]
     [% IF c == searchfield %]
-      <option value="[% c %]" selected="selected">[% c %]</option>
+      <option value="[% c %]" selected="selected">[% c |html %]</option>
     [% ELSE %]
-      <option value="[% c %]">[% c %]</option>
+      <option value="[% c %]">[% c |html %]</option>
     [% END %]
   [% END %]
   <input type="submit" value="Submit" />
@@ -250,7 +250,7 @@ $(document).ready(function() {
  [% IF ( category == 'NOT_LOAN' ) %]
     <p>Statuses to describe why an item is not for loan</p>
  [% END %]
-<h3>Authorized values for category [% category %]:</h3>
+<h3>Authorized values for category [% category |html %]:</h3>
 
 [% IF ( loop ) %]<div id="pagertable_authorized_values">
 </div>[% END %]
@@ -272,8 +272,8 @@ $(document).ready(function() {
 <tr>
 [% END %]
 	<td>[% loo.authorised_value %]</td>
-	<td>[% loo.lib %]</td>
-	<td>[% loo.lib_opac %]</td>
+    <td>[% loo.lib |html %]</td>
+    <td>[% loo.lib_opac |html %]</td>
 	<td>[% IF ( loo.imageurl ) %]<img src="[% loo.imageurl %]" alt=""/>[% ELSE %]&nbsp;[% END %]</td>
     <td>
         [% IF loo.branches.size > 0 %]
@@ -296,7 +296,7 @@ $(document).ready(function() {
 </tr>
 [% END %]
 </tbody></table>[% ELSE %]
-<div class="dialog message">There are no authorized values defined for [% category %]</div>
+<div class="dialog message">There are no authorized values defined for [% category |html %]</div>
 [% END %]
 
 [% IF ( isprevpage ) %]

koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt

@@ -160,9 +160,9 @@
                         <option value="">All branches</option>
                         [% FOREACH branch IN branches_loop %]
                           [% IF branch.selected %]
-                            <option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
+                            <option selected="selected" value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
                           [% ELSE %]
-                            <option value="[% branch.branchcode %]">[% branch.branchname %]</option>
+                            <option value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
                           [% END %]
                         [% END %]
                     </select>

koha-tmpl/intranet-tmpl/prog/en/modules/admin/patron-attr-types.tt

@@ -170,9 +170,9 @@ $(document).ready(function() {
                 <option value="">All branches</option>
                 [% FOREACH branch IN branches_loop %]
                   [% IF ( branch.selected ) %]
-                    <option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
+                    <option selected="selected" value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
                   [% ELSE %]
-                    <option value="[% branch.branchcode %]">[% branch.branchname %]</option>
+                    <option value="[% branch.branchcode %]">[% branch.branchname |html %]</option>
                   [% END %]
                 [% END %]
             </select>
@@ -184,7 +184,7 @@ $(document).ready(function() {
             <select name="category_code" id="category">
                 <option value=""></option>
                 [% FOREACH cat IN categories %]
-                    [% IF ( cat.categorycode == category_code ) %]<option value="[% cat.categorycode %]" selected="selected">[% cat.description %]</option>[% ELSE %]<option value="[% cat.categorycode %]">[% cat.description %]</option>[% END %]
+                    [% IF ( cat.categorycode == category_code ) %]<option value="[% cat.categorycode %]" selected="selected">[% cat.description |html %]</option>[% ELSE %]<option value="[% cat.categorycode %]">[% cat.description |html %]</option>[% END %]
                 [% END %]
             </select>
             <span>Choose one to limit this attribute to one patron type. Please leave blank if you want these attributes to be available for all types of patrons.</span>
@@ -196,11 +196,11 @@ $(document).ready(function() {
                 [% FOREACH class IN classes_val_loop %]
                     [% IF class.authorised_value == category_class %]
                         <option value="[% class.authorised_value %]" selected="selected">
-                            [% class.lib %]
+                            [% class.lib |html %]
                         </option>
                     [% ELSE %]
                         <option value="[% class.authorised_value %]" >
-                            [% class.lib %]
+                            [% class.lib |html %]
                         </option>
                     [% END %]
                 [% END %]