From 5ffa9b924cf4bed72f105dc711ca7dd03ee373c5 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Tue, 15 Aug 2017 13:49:10 +0530
Subject: [PATCH] Bug 19108 - Stored XSS in items_search_fields.pl

To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for new and edit page

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 .../prog/en/includes/admin-items-search-field-form.inc      | 4 ++--
 .../prog/en/modules/admin/items_search_field.tt             | 4 ++--
 .../prog/en/modules/admin/items_search_fields.tt            | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
index a886a8b5ac..68a847b1cb 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
@@ -2,7 +2,7 @@
   <li>
       [% IF field %]
           <span class="label">Name: </span>
-          [% field.name %]
+          [% field.name |html %]
           <input type="hidden" name="name" value="[% field.name %]">
       [% ELSE %]
           <label class="required" for="name">Name: </label>
@@ -13,7 +13,7 @@
   <li>
     <label class="required" for="label">Label: </label>
     [% IF field %]
-        <input type="text" name="label" id="label" value="[% field.label %]" class="required" required="required" />
+        <input type="text" name="label" id="label" value="[% field.label |html %]" class="required" required="required" />
     [% ELSE %]
         <input type="text" name="label" id="label" class="required" required="required" />
     [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt
index ed1f9c5890..c29c66d1f2 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt
@@ -9,14 +9,14 @@
     <a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo;
     <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> &rsaquo;
     <a href="/cgi-bin/koha/admin/items_search_fields.pl">Item search fields</a> &rsaquo;
-    [% field.name %]
+    [% field.name |html %]
   </div>
 
   <div id="doc3" class="yui-t2">
     <div id="bd">
       <div id="yui-main">
         <div class="yui-b">
-          <h1>Item search field: [% field.label %]</h1>
+          <h1>Item search field: [% field.label |html %]</h1>
 
           <form action="/cgi-bin/koha/admin/items_search_field.pl" method="POST" class="validated">
             <fieldset class="rows">
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt
index caaf1ae0fa..03bf06ea5b 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt
@@ -26,7 +26,7 @@
 
           [% IF field_added %]
             <div class="dialog message">
-              Field successfully added: [% field_added.label %]
+              Field successfully added: [% field_added.label |html %]
             </div>
           [% ELSIF field_not_added %]
             <div class="dialog alert">
@@ -70,8 +70,8 @@
                     <tbody>
                       [% FOREACH field IN fields %]
                         <tr>
-                          <td>[% field.name %]</td>
-                          <td>[% field.label %]</td>
+                          <td>[% field.name |html %]</td>
+                          <td>[% field.label |html %]</td>
                           <td>[% field.tagfield %]</td>
                           <td>[% field.tagsubfield %]</td>
                           <td>[% field.authorised_values_category %]</td>
-- 
2.39.5