From 690509d0bd89529c664621469e62eacf2d206cd7 Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Tue, 11 Aug 2020 12:41:13 +0000
Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used:
 authorities/blinddetail-biblio-search.tt

Test the process of searching for and selecting an authority record for
use in the basic MARC editor.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 57a2a82c504815d5d8e95c20be43611d96abcf13)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
---
 .../en/modules/authorities/blinddetail-biblio-search.tt     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt
index 16360262f5..c0915df109 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt
@@ -30,11 +30,11 @@
                 [% IF ( clear ) %]
                     var new_line = "";
                 [% ELSE %]
-                    var new_line = "
+                var new_line = "
                     [%- FOREACH SUBFIELD_LOO IN SUBFIELD_LOOP -%]â¡
-                        [%- To.json( SUBFIELD_LOO.marc_subfield ) | $raw -%]
+                        [%- To.json( SUBFIELD_LOO.marc_subfield ) | html -%]
                         [%- FOREACH marc_value IN SUBFIELD_LOO.marc_values -%]
-                            [%- To.json( marc_value ) | $raw -%]
+                            [%- To.json( marc_value ) | html -%]
                         [%- END -%]
                     [%- END -%]â¡9[% authid | html %]";
                 [% END %]
-- 
2.39.5