From 933f139b77cc3f75946317103848f957ebf057cc Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Fri, 4 Aug 2017 09:44:52 +0530
Subject: [PATCH] Bug 19033: XSS Flaws in Currencies and exchange page

1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 08fe6c3c3a8b3370ea212b049573a8618cf1e9e3)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
index 3f2c5bfb04..1cc063f38c 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
@@ -197,7 +197,7 @@
     [% END %]
 
     [% IF searchfield %]
-        You searched for [% searchfield %]</span>
+        You searched for [% searchfield |html %]</span>
     [% END %]
 
     <table id='currencies-table'>
-- 
2.39.5