From e1f528834100b772002e24940d65138c8cbd1756 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Fri, 4 Aug 2017 10:34:19 +0530
Subject: [PATCH] Bug 19034: XSS Flaws in Patron categories pages

1. Hit /cgi-bin/koha/admin/categories.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search patron categories box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search patron categories box.
6. Notice it is no longer executed.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt
index 7f1fb533d1..e5cf685d41 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt
@@ -335,7 +335,7 @@
 
     <h2>Patron categories</h2>
     [% IF searchfield %]
-        You Searched for [% searchfield %]</span>
+        You Searched for [% searchfield |html %]</span>
     [% END %]
     [% IF categories%]
         <table id="table_categorie">
-- 
2.39.5