From c127306b540cc0ee7cda9f7b14cd2c9bb47b99a1 Mon Sep 17 00:00:00 2001
From: Katrin Fischer <katrin.fischer.83@web.de>
Date: Wed, 16 Aug 2017 12:05:50 +0200
Subject: [PATCH] Bug 19125 - XSS - members.pl

In preparation to test this patch:
- Add a patron list named <script>alert("patron list")</script>
- Add a library named <script>alert("library")</script>
- Add a patron category named <script>alert("patron category")</script>

To test:
- Access patron search page and do a search
- Verify that the alerts added above are executed
- Apply patch
- Verify that no alerts are displayed

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc  | 2 +-
 koha-tmpl/intranet-tmpl/prog/en/includes/patron-toolbar.inc | 2 +-
 koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt   | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc
index 41c67b8d5d..b8dac1859f 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc
@@ -94,7 +94,7 @@
                     [% IF b.selected %]
                         <option value="[% b.branchcode %]" selected="selected">[% b.branchname %]</option>
                     [% ELSE %]
-                        <option value="[% b.branchcode %]">[% b.branchname %]</option>
+                        <option value="[% b.branchcode %]">[% b.branchname |html %]</option>
                     [% END %]
                 [% END %]
             </select>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-toolbar.inc
index 3b04aea250..284709246f 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/patron-toolbar.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/patron-toolbar.inc
@@ -6,7 +6,7 @@
     <div class="btn-group">
         <button class="btn btn-small dropdown-toggle" data-toggle="dropdown"><i class="fa fa-plus"></i> New patron <span class="caret"></span></button>
             <ul class="dropdown-menu">
-                [% FOREACH category IN categories %]<li><a href="/cgi-bin/koha/members/memberentry.pl?op=add&amp;categorycode=[% category.categorycode %]">[% category.description %]</a></li>[% END %]
+                [% FOREACH category IN categories %]<li><a href="/cgi-bin/koha/members/memberentry.pl?op=add&amp;categorycode=[% category.categorycode %]">[% category.description |html %]</a></li>[% END %]
             </ul>
     </div>
     [% IF CAN_user_tools_manage_patron_lists %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt
index b597a8f9c0..ccb4561475 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt
@@ -372,7 +372,7 @@ function filterByFirstLetterSurname(letter) {
                               [% IF patron_lists %]
                                   <optgroup label="Patron lists:">
                                       [% FOREACH pl IN patron_lists %]
-                                          <option value="[% pl.patron_list_id %]">[% pl.name %]</option>
+                                          <option value="[% pl.patron_list_id %]">[% pl.name |html %]</option>
                                       [% END %]
                                   </optgroup>
                               [% END %]
@@ -496,9 +496,9 @@ function filterByFirstLetterSurname(letter) {
                 <option value="">Any</option>
                 [% FOREACH cat IN categories %]
                   [% IF cat.selected %]
-                    <option selected="selected" value="[% cat.categorycode %]">[% cat.description %]</option>
+                    <option selected="selected" value="[% cat.categorycode %]">[% cat.description |html %]</option>
                   [% ELSE %]
-                    <option value="[% cat.categorycode %]">[% cat.description %]</option>
+                    <option value="[% cat.categorycode %]">[% cat.description |html %]</option>
                   [% END %]
                 [% END %]
               </select>
-- 
2.39.5