From 711848f856ebf0215055184a6dd8afa3bd7f688f Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Tue, 11 Aug 2020 12:34:18 +0000
Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used:
 authorities/authorities.tt

Check that mandatory tags and subfields are correctly required when
editing an authority record.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d9ae296b23d6897070c6bb788387ab39e7da8f09)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 3cb5340c89f5c609f9154e2f3eb14ba0e195e0f2)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 .../intranet-tmpl/prog/en/modules/authorities/authorities.tt    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt
index 29b373dd35..edea5c4648 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/authorities.tt
@@ -69,7 +69,7 @@ function AreMandatoriesNotOk(){
     		[% FOREACH subfield_loo IN innerloo.subfield_loop %]
     			[% IF ( subfield_loo.mandatory ) %]mandatories.push("[% subfield_loo.id | html %]");
                     tab.push("[% BIG_LOO.number | html %]");
-                    label.push("[% subfield_loo.marc_lib | $raw |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]");
+                    label.push("[% To.json(subfield_loo.marc_lib) | html %]");
     			[% END %]
 			[% END %]
 		[% END %]
-- 
2.39.5