From 3601c6fb1b19ef52cf441b473b34d98a17bc887a Mon Sep 17 00:00:00 2001
From: Chris <chris@bigballofwax.co.nz>
Date: Sun, 21 Jun 2015 08:18:20 +0000
Subject: [PATCH] Bug 14423: XSS bug in lateorders

1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt
index 70a15be948..f6804019ff 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/lateorders.tt
@@ -98,7 +98,7 @@ $(document).ready(function() {
 [% IF ( lateorders ) %]
 <form action="lateorders.pl" name="claim" method="post">
   <input type="hidden" name="op" value="send_alert" />
-  <input type="hidden" name="delay" value="[% delay %]" />
+  <input type="hidden" name="delay" value="[% delay | html%]" />
   <input type="hidden" name="booksellerid" value="[% booksellerid %]" />
 	[% IF ( letters ) %]
 	<p><label for="letter_code">Claim using notice: </label><select name="letter_code" id="letter_code">
@@ -222,10 +222,10 @@ $(document).ready(function() {
 <fieldset class="brief">
 <h4>Filter results:</h4>
 [% FOREACH ERROR_LOO IN ERROR_LOOP %]
-[% IF ( ERROR_LOO.delay_digits ) %]<p class="error">The number of days ([% ERROR_LOO.bad_delay %]) must be a number between 0 and 999.</p>[% END %]
+[% IF ( ERROR_LOO.delay_digits ) %]<p class="error">The number of days ([% ERROR_LOO.bad_delay | html %]) must be a number between 0 and 999.</p>[% END %]
 [% END %]
 <ol>
-    <li><label for="delay">Order date:</label><input size="3" maxlength="3" id="delay" type="text" name="delay" value="[% delay %]" /> days ago</li>
+    <li><label for="delay">Order date:</label><input size="3" maxlength="3" id="delay" type="text" name="delay" value="[% delay | html%]" /> days ago</li>
     <li><label for="from">Estimated delivery date from: </label>
         <input type="text" size="10" id="from" name="estimateddeliverydatefrom" value="[% estimateddeliverydatefrom %]" class="datepickerfrom" />
         <div class="hint">[% INCLUDE 'date-format.inc' %]</div>
-- 
2.39.2