From d31c635fe2cc6d0b715661d35a02723a48e42e2b Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Tue, 15 Aug 2017 19:51:48 +0530
Subject: [PATCH] Bug 19112 - Stored XSS in basketheader.pl page

To Test

1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.

Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt   | 4 ++--
 .../intranet-tmpl/prog/en/modules/acqui/basketheader.tt   | 8 ++++----
 .../intranet-tmpl/prog/en/modules/acqui/booksellers.tt    | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
index f1aa1157c4..aea00a3650 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@@ -367,8 +367,8 @@
                 <div class="rows">
                 <div class="yui-u first">
                 <ol>
-                [% IF ( basketnote ) %]<li><span class="label">Internal note:</span> [% basketnote %]</li>[% END %]
-                [% IF ( basketbooksellernote ) %]<li><span class="label">Vendor note:</span> [% basketbooksellernote %]</li>[% END %]
+                [% IF ( basketnote ) %]<li><span class="label">Internal note:</span> [% basketnote |html %]</li>[% END %]
+                [% IF ( basketbooksellernote ) %]<li><span class="label">Vendor note:</span> [% basketbooksellernote |html %]</li>[% END %]
                 [% IF ( basketcontractno ) %]
                     <li><span class="label">Contract name:</span> <a href="../admin/aqcontract.pl?op=add_form&amp;contractnumber=[% basketcontractno %]&amp;booksellerid=[% booksellerid %]">[% basketcontractname %]</a></li>
                 [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
index 5cc8cc7982..b3be24135a 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
@@ -19,7 +19,7 @@
     <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo;
     <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% booksellername %]</a> &rsaquo;
     [% IF ( add_form ) %]
-        [% IF ( basketno ) %]Edit basket '[% basketname %]'
+        [% IF ( basketno ) %]Edit basket '[% basketname |html %]'
         [% ELSE %]Add a basket to [% booksellername %]
         [% END %]
     [% END %]
@@ -32,7 +32,7 @@
 
     [% IF ( add_form ) %]
         [% IF ( basketno ) %]
-            <h1>Edit basket [% basketname %]</h1>
+            <h1>Edit basket [% basketname |html %]</h1>
         [% ELSE %]<h1>Add a basket to [% booksellername %]</h1>
         [% END %]
     <form name="Aform" action="[% script_name %]" method="post" class="validated">
@@ -78,11 +78,11 @@
                 </li>
                 <li>
                     <label for="basketnote">Internal note: </label> &nbsp;
-                    <textarea name="basketnote" id="basketnote" rows="5" cols="40">[% basketnote %]</textarea>
+                    <textarea name="basketnote" id="basketnote" rows="5" cols="40">[% basketnote |html %]</textarea>
                 </li>
                 <li>
                     <label for="basketbooksellernote">Vendor note: </label> &nbsp;
-                    <textarea name="basketbooksellernote" id="basketbooksellernote" rows="5" cols="40">[% basketbooksellernote %]</textarea>
+                    <textarea name="basketbooksellernote" id="basketbooksellernote" rows="5" cols="40">[% basketbooksellernote |html %]</textarea>
                 </li>
                 [% IF ( contractloop ) %]
                     <li><label for="basketcontractnumber">Contract: </label>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
index e9f44dcaec..e8acf39696 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
@@ -142,7 +142,7 @@ $(document).ready(function() {
                                         <tr>
                                     [% END %]
                                         <td>[% basket.basketno %]</td>
-                                        <td>[% basket.basketname %]</td>
+                                        <td>[% basket.basketname |html %]</td>
                                         <td>
                                             <span title="[% basket.total_items %]">[% basket.total_items %]
                                                 [% IF basket.total_items_cancelled %]
-- 
2.39.2