From 0eb03b0817561fc37c77bf551a09d816d41c4117 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Tue, 15 Aug 2017 02:44:11 +0530
Subject: [PATCH] Bug 19086 Stored XSS in subscription-add.pl

To Test
1. Hit the page /cgi-bin/koha/serials/subscription-add.pl
2. Add a text in the field Public note and Nonpublic note
   that contains js (Internalnotes, notes)
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
---
 .../prog/en/modules/serials/subscription-detail.tt            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
index 157c135033..b4285fccf5 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
@@ -339,8 +339,8 @@ $(document).ready(function() {
             <li><span class="label">History end date:</span> [% histenddate %]</li>
             <li><span class="label">Received issues:</span>[% recievedlist %]</li>
             <li><span class="label">Missing issues:</span>[% missinglist %]</li>
-            <li><span class="label">Nonpublic note:</span>[% internalnotes FILTER html_line_break %]</li>
-            <li><span class="label">Public note:</span>[% notes FILTER html_line_break %]</li>
+            <li><span class="label">Nonpublic note:</span>[% internalnotes FILTER html_line_break |html %]</li>
+            <li><span class="label">Public note:</span>[% notes FILTER html_line_break |html %]</li>
             <li><span class="label">History staff note:</span>[% librariannote FILTER html_line_break %]</li>
             <li><span class="label">History OPAC note:</span>[% opacnote FILTER html_line_break %]</li>
         </ol>
-- 
2.39.5