From f2063ecd9ff72537408c30516a4e0a8651f6c5d2 Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Tue, 11 Aug 2020 12:31:26 +0000
Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used:
 admin/preferences.tt

Test that preference search term highlighting works correctly.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5df95693f93e1ef95f74eb4a118319e84ed7703e)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit b4b87a3091a38985d13f2a6d2eb243589ec8b7dd)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt
index 38ecd63e1c..814af9ea85 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt
@@ -200,7 +200,7 @@
 
         });
         // This is here because of its dependence on template variables, everything else should go in js/pages/preferences.js - jpw
-        var to_highlight = "[% searchfield |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') | html %]";
+        var to_highlight = "[% To.json( searchfield ) | html %]";
         var search_jumped = [% IF ( search_jumped ) %]true[% ELSE %]false[% END %];
         var MSG_NOTHING_TO_SAVE = _("Nothing to save");
         var MSG_SAVING = _("Saving...");
-- 
2.39.5