From b90662073ff99d25e0f32156924f79981f9d5707 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Wed, 16 Aug 2017 17:56:17 +0530
Subject: [PATCH] Bug 19127: Fix Stored XSS in csv-profiles.pl

To Test
1. Hit the page /cgi-bin/koha/tools/csv-profiles.pl?op=add_form
2. Add a text in the field Profile name, Profile description
   and Profile MARC fields that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 .../intranet-tmpl/prog/en/modules/tools/csv-profiles.tt     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt
index 40f64f51c3..181eb35d6c 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt
@@ -279,9 +279,9 @@ function reloadPage(p) {
                 [% FOREACH csv_profile IN csv_profiles %]
                 <tr>
                     <td>[% csv_profile.export_format_id %]</td>
-                    <td>[% csv_profile.profile %]</td>
-                    <td>[% csv_profile.description %]</td>
-                    <td>[% csv_profile.content %]</td>
+                    <td>[% csv_profile.profile |html %]</td>
+                    <td>[% csv_profile.description |html %]</td>
+                    <td>[% csv_profile.content |html %]</td>
                     <td>[% csv_profile.csv_separator %]</td>
                     <td>[% PROCESS type_description type_code = csv_profile.type %]</td>
                     <td>[% PROCESS used_for_description used_for_code = csv_profile.used_for %]</td>
-- 
2.39.2