From 4c3c2c8ec2dc748e8507ef4d6256b6187b0367c1 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 3 Aug 2016 08:49:10 +0100
Subject: [PATCH] Bug 17036: Fix XSS in circulation.pl

Test plan:
Enter the following in the "Check out" tab:
"><script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
index cf1c581747..c2bc755a71 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
@@ -516,7 +516,7 @@ $(document).ready(function() {
 [% IF ( message ) %]
 [% INCLUDE 'patron-toolbar.inc' %]
 <h4>
-No patron matched <span class="ex">[% message %]</span>
+No patron matched <span class="ex">[% message | html %]</span>
 </h4>
 [% END %]
 
-- 
2.39.5