From bd87a319366ed3dc1d9792d4c1103c76f77b0eda Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Tue, 11 Aug 2020 12:34:18 +0000
Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used:
 authorities/authorities.tt

Check that mandatory tags and subfields are correctly required when
editing an authority record.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 .../intranet-tmpl/prog/en/modules/authorities/authorities.tt    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt
index 56e38dbddc..e9bcf3f8cb 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt
@@ -79,7 +79,7 @@ function AreMandatoriesNotOk(){
     		[% FOREACH subfield_loo IN innerloo.subfield_loop %]
     			[% IF ( subfield_loo.mandatory ) %]mandatories.push("[% subfield_loo.id | html %]");
                     tab.push("[% BIG_LOO.number | html %]");
-                    label.push("[% To.json(subfield_loo.marc_lib) | $raw %]");
+                    label.push("[% To.json(subfield_loo.marc_lib) | html %]");
     			[% END %]
 			[% END %]
 		[% END %]
-- 
2.39.2