From 6f0d4153dfb8f85ab2b41c1e2780d4171c00e4ee Mon Sep 17 00:00:00 2001
From: Chris Cormack <chris@bigballofwax.co.nz>
Date: Wed, 27 Nov 2013 05:37:07 +1300
Subject: [PATCH] Bug 11307: Fix potential XSS attack in public catalog RSS
 feed

To test:
1/ Craft a url like
/cgi-bin/koha/opac-search.pl?q=a&count=50"'<h1>test</h1>&sort_by=acqdate_dsc&format=rss2
2/ look at the source, notice
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
3/ apply the patch, and reload url
4/ source now contains
 <opensearch:itemsPerPage>50&quot;'&lt;h1&gt;test&lt;/h1&gt;</opensearch:itemsPerPage>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---
 koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt
index 2d51ba6ba6..ff2b23c709 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt
@@ -24,7 +24,7 @@
      <opensearch:totalResults>[% total %]</opensearch:totalResults>
      <opensearch:startIndex>[% offset %]</opensearch:startIndex>
      [% IF ( results_per_page ) %]
-       <opensearch:itemsPerPage>[% results_per_page %]</opensearch:itemsPerPage>
+       <opensearch:itemsPerPage>[% results_per_page |html %]</opensearch:itemsPerPage>
      [% ELSE %]
        <opensearch:itemsPerPage>20</opensearch:itemsPerPage>
      [% END %]
-- 
2.20.1