From 818dd531ecae29e0a6e14072ed9d8f5d448cfafb Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Mon, 7 Aug 2017 22:04:30 +0530
Subject: [PATCH] Bug 19052 - XSS Flaws in vendor search page

1. Hit /cgi-bin/koha/acqui/booksellers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> vendor search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on vendor search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
index ff92a913d6..7f66ca62c0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
@@ -42,7 +42,7 @@ $(document).ready(function() {
 [% INCLUDE 'header.inc' %]
 [% INCLUDE 'acquisitions-search.inc' %]
 
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; Search for vendor <em>[% supplier %]</em> </div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; Search for vendor <em>[% supplier |html %]</em> </div>
 
 <div id="doc3" class="yui-t2">
    
-- 
2.39.5