From faeb759a86e4f89b060aae59eac46caaf70b1b15 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Sun, 12 Nov 2017 21:14:41 +0530
Subject: [PATCH] Bug 19611: Fix XSS Flaws in supplier.pl

Test
1. Hit the page /cgi-bin/koha/acqui/supplier.pl?op=enter
2. Add a text in the field Name that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt | 2 +-
 koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
index 50331d7d18..41b6912dc3 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
@@ -80,7 +80,7 @@ $(document).ready(function() {
             <div class="supplier">
                 <span class="suppliername">
                     [% IF (supplier.name) %]
-                        <a name="[% supplier.booksellerid %]" href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% supplier.booksellerid %]">[% supplier.name %]</a>
+                        <a name="[% supplier.booksellerid %]" href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% supplier.booksellerid %]">[% supplier.name |html %]</a>
                     [% ELSE %]
                         <a name="[% supplier.booksellerid %]" href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% supplier.booksellerid %]">NO NAME</a>
                     [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
index db4d9654cc..889e7a3c2d 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
@@ -169,7 +169,7 @@ function delete_contact(ev) {
 [% INCLUDE 'header.inc' %]
 [% INCLUDE 'acquisitions-search.inc' %]
 
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; [% IF ( enter ) %][% IF ( booksellerid ) %] <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% name |html %]</a> &rsaquo; Update: [% name %][% ELSE %]Add vendor[% END %] [% ELSE %][% name |html %][% END %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; [% IF ( enter ) %][% IF ( booksellerid ) %] <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% name |html %]</a> &rsaquo; Update: [% name |html %][% ELSE %]Add vendor[% END %] [% ELSE %][% name |html %][% END %]</div>
 
 <div id="doc3" class="yui-t2">
 
-- 
2.39.5