From 1deab6d87f13ced3da4dc29ef30978867a95145c Mon Sep 17 00:00:00 2001
From: Chris Cormack <chris@bigballofwax.co.nz>
Date: Fri, 11 Aug 2017 19:54:34 +0000
Subject: [PATCH] Bug 19086 Stored XSS in circulation.pl

1/ To test add a message to a borrower that contains js
2/ hit /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number]
  where number is the borrowernumber of the borrower you set the message
  for
3/ Notice js is execute
4/ Apply patch, reload, js is escaped

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
index 4526ae14e8..34c635013e 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
@@ -892,7 +892,7 @@ No patron matched <span class="ex">[% message | html %]</span>
                     <span class="circ-hlt">
                         [% message.message_date | $KohaDates %]
                         [% Branches.GetName( message.branchcode ) %]
-                        <i>"[% message.message %]"</i>
+                        <i>"[% message.message | html %]"</i>
                     </span>
                     [% IF message.branchcode == branch OR Koha.Preference('AllowAllMessageDeletion') %]
                         <a href="/cgi-bin/koha/circ/del_message.pl?message_id=[% message.message_id %]&amp;borrowernumber=[% message.borrowernumber %]" onclick="return confirm(MSG_CONFIRM_DELETE_MESSAGE);">[Delete]</a>
-- 
2.39.5