From c092ea7261e310f85298adbd2800e5016585ece8 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Tue, 15 Aug 2017 13:49:10 +0530
Subject: [PATCH] Bug 19108 - Stored XSS in items_search_fields.pl

To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for new and edit page

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 063fd5e1b9e086c57987fae408b4ce6e51fec2b9)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 332d705e725a0672eafdeedb88d3848fca4b2a8b)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
---
 .../prog/en/includes/admin-items-search-field-form.inc      | 4 ++--
 .../prog/en/modules/admin/items_search_field.tt             | 4 ++--
 .../prog/en/modules/admin/items_search_fields.tt            | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
index a55f6c38ba..4ab91b1836 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
@@ -3,7 +3,7 @@
   <li>
       [% IF field %]
           <span class="label">Name: </span>
-          [% field.name %]
+          [% field.name |html %]
           <input type="hidden" name="name" value="[% field.name %]">
       [% ELSE %]
           <label class="required" for="name">Name: </label>
@@ -14,7 +14,7 @@
   <li>
     <label class="required" for="label">Label: </label>
     [% IF field %]
-        <input type="text" name="label" id="label" value="[% field.label %]" class="required" required="required" />
+        <input type="text" name="label" id="label" value="[% field.label |html %]" class="required" required="required" />
     [% ELSE %]
         <input type="text" name="label" id="label" class="required" required="required" />
     [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt
index 5a69d716c4..6392efb018 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_field.tt
@@ -10,14 +10,14 @@
     <a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo;
     <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> &rsaquo;
     <a href="/cgi-bin/koha/admin/items_search_fields.pl">Item search fields</a> &rsaquo;
-    [% field.name %]
+    [% field.name |html %]
   </div>
 
   <div id="doc3" class="yui-t2">
     <div id="bd">
       <div id="yui-main">
         <div class="yui-b">
-          <h1>Item search field: [% field.label %]</h1>
+          <h1>Item search field: [% field.label |html %]</h1>
 
           <form action="/cgi-bin/koha/admin/items_search_field.pl" method="POST" class="validated">
             <fieldset class="rows">
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt
index a67f08191a..7dd82e205b 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/items_search_fields.tt
@@ -27,7 +27,7 @@
 
           [% IF field_added %]
             <div class="dialog message">
-              Field successfully added: [% field_added.label %]
+              Field successfully added: [% field_added.label |html %]
             </div>
           [% ELSIF field_not_added %]
             <div class="dialog alert">
@@ -71,8 +71,8 @@
                     <tbody>
                       [% FOREACH field IN fields %]
                         <tr>
-                          <td>[% field.name %]</td>
-                          <td>[% field.label %]</td>
+                          <td>[% field.name |html %]</td>
+                          <td>[% field.label |html %]</td>
                           <td>[% field.tagfield %]</td>
                           <td>[% field.tagsubfield %]</td>
                           <td>[% field.authorised_values_category %]</td>
-- 
2.39.5