From 1c5b315787c5714b2453f9b1ec9eb66ae6aa51b3 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Mon, 7 Aug 2017 22:34:05 +0530
Subject: [PATCH] Bug 19054 - XSS Flaws in Report - Top Most-circulated items

1. Hit /cgi-bin/koha/reports/cat_issues_top.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in Callnumber, Day, Month, Year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Callnumber, Day, Month, Year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 755a1fb372b29443b7d128c4c710f7a7ed63f189)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 .../intranet-tmpl/prog/en/modules/reports/cat_issues_top.tt     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/cat_issues_top.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/cat_issues_top.tt
index 7365de18e6..555ea64eb7 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/cat_issues_top.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/cat_issues_top.tt
@@ -59,7 +59,7 @@
 		[% IF ( mainloo.loopfilter ) %]
             <p>Filtered on:</p>
 			[% FOREACH loopfilte IN mainloo.loopfilter %]
-					<p>[% IF ( loopfilte.err ) %]  [% END %] [% loopfilte.crit %] =[% loopfilte.filter %][% IF ( loopfilte.err ) %]  [% END %]</p>
+                    <p>[% IF ( loopfilte.err ) %]  [% END %] [% loopfilte.crit %] =[% loopfilte.filter |html %][% IF ( loopfilte.err ) %]  [% END %]</p>
 			[% END %]
 		[% END %]
 		
-- 
2.39.5