From 697fd4472d1dea6f5ad1e46294aaf3da4f0b3986 Mon Sep 17 00:00:00 2001
From: Chris Cormack <chrisc@catalyst.net.nz>
Date: Fri, 19 Jun 2015 11:26:02 +1200
Subject: [PATCH] Bug 14416 Stored XSS vulnerability

opac-addbybiblionumber.pl is also vulnerable because it doesn't escape
list names.

To test
1/ Create a malicious list name
2/ Try to add a biblio to the lists
3/ Notice js is excuted
4/ Apply patch
5/ Test again

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 .../opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt
index c191547ff9..90300e923c 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-addbybiblionumber.tt
@@ -30,12 +30,12 @@
                                             <label for="shelfnumber">Add to list:</label> <select name="shelfnumber" id="shelfnumber">
                                                 [% IF ( privatevirtualshelves ) %]<optgroup label="Private Lists">
                                                     [% FOREACH privatevirtualshelve IN privatevirtualshelves %]
-                                                    <option value="[% privatevirtualshelve.shelfnumber %]">[% privatevirtualshelve.shelfname %]</option>
+                                                    <option value="[% privatevirtualshelve.shelfnumber %]">[% privatevirtualshelve.shelfname | html%]</option>
                                                     [% END %]
                                                 </optgroup>[% END %]
                                                 [% IF ( publicvirtualshelves ) %]<optgroup label="Public Lists">
                                                     [% FOREACH publicvirtualshelve IN publicvirtualshelves %]
-                                                    <option value="[% publicvirtualshelve.shelfnumber %]">[% publicvirtualshelve.shelfname %]</option>
+                                                    <option value="[% publicvirtualshelve.shelfnumber %]">[% publicvirtualshelve.shelfname |html%]</option>
                                                     [% END %]
                                                 </optgroup>[% END %]
                                             </select>
-- 
2.39.5