From 61d082f7e5d9b264c1551cad837a1e63d1678bce Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Mon, 7 Aug 2017 21:43:56 +0530
Subject: [PATCH] Bug 19051 - XSS Flaws in - Batch item modification page

1. Hit /cgi-bin/koha/tools/batchMod.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-edit.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-edit.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-edit.tt
index 70faf19d0b..9a9de56701 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-edit.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-edit.tt
@@ -98,7 +98,7 @@ $(document).ready(function(){
     </thead>
     <tbody>
         [% FOREACH notfoundbarcode IN notfoundbarcodes %]
-      <tr><td>[% notfoundbarcode.barcode %]</td></td>
+      <tr><td>[% notfoundbarcode.barcode |html %]</td></td>
         [% END %]
     </tbody>
       </table>
-- 
2.39.5