From 0a372c2b1ebcc9ce6ce4310fc227b801fe04cc85 Mon Sep 17 00:00:00 2001
From: Josef Moravec <josef.moravec@gmail.com>
Date: Sun, 3 Dec 2017 22:21:57 +0000
Subject: [PATCH] Bug 19738: Fix XSS on vendor name in serials module

Test plan:

1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
---
 .../prog/en/modules/serials/acqui-search-result.tt              | 2 +-
 .../prog/en/modules/serials/subscription-detail.tt              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt
index ccd6cfa59c..7e4a6504c7 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/acqui-search-result.tt
@@ -42,7 +42,7 @@ $(document).ready(function(){
 	</tr>
 	[% FOREACH loop_supplier IN loop_suppliers %]
         <tr>
-			<td>[% loop_supplier.name %]</td>
+            <td>[% loop_supplier.name |html %]</td>
             <td><a class="btn btn-default btn-xs select_vendor" href="#" data-vendorid="[% loop_supplier.aqbooksellerid %]" data-vendorname="[% loop_supplier.name |html%]">Choose</a></td>
 		</tr>
 	[% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
index 670a9c0469..a160fc87aa 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
@@ -87,7 +87,7 @@ $(document).ready(function() {
 		<ol>
 		<li><span class="label">Subscription ID: </span>[% subscriptionid %]</li>
         <li><span class="label">Librarian identity:</span> [% librarian %]</li>
-        <li><span class="label">Vendor:</span> <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% aqbooksellerid %]">[% aqbooksellername %]</a></li>
+        <li><span class="label">Vendor:</span> <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% aqbooksellerid %]">[% aqbooksellername |html %]</a></li>
         <li><span class="label">Biblio:</span>  <a href="/cgi-bin/koha/catalogue/[% default_bib_view %].pl?biblionumber=[% bibnum %]">[% bibliotitle %]</a> <i>([% bibnum %])</i></li>
         [% IF ( OPACBaseURL ) %]
             <li>
-- 
2.20.1