From 944c4ffcb659487fb30c0b9bdb6ac50ce7a3dfe1 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Tue, 15 Aug 2017 19:51:48 +0530
Subject: [PATCH] Bug 19112 - Stored XSS in basketheader.pl page

To Test

1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.

Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt   | 4 ++--
 .../intranet-tmpl/prog/en/modules/acqui/basketheader.tt   | 8 ++++----
 .../intranet-tmpl/prog/en/modules/acqui/booksellers.tt    | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
index 5f61f4cdae..ef50ba4547 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@@ -296,8 +296,8 @@
                 <div class="rows">
                 <div class="yui-u first">
                 <ol>
-                [% IF ( basketnote ) %]<li><span class="label">Internal note:</span> [% basketnote %]</li>[% END %]
-                [% IF ( basketbooksellernote ) %]<li><span class="label">Vendor note:</span> [% basketbooksellernote %]</li>[% END %]
+                [% IF ( basketnote ) %]<li><span class="label">Internal note:</span> [% basketnote |html %]</li>[% END %]
+                [% IF ( basketbooksellernote ) %]<li><span class="label">Vendor note:</span> [% basketbooksellernote |html %]</li>[% END %]
                 [% IF ( basketcontractno ) %]
                     <li><span class="label">Contract name:</span> <a href="../admin/aqcontract.pl?op=add_form&amp;contractnumber=[% basketcontractno %]&amp;booksellerid=[% booksellerid %]">[% basketcontractname %]</a></li>
                 [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
index 195022a9e1..70c3671c8e 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basketheader.tt
@@ -18,7 +18,7 @@
     <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo;
     <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% booksellername %]</a> &rsaquo;
     [% IF ( add_form ) %]
-        [% IF ( basketno ) %]Edit basket '[% basketname %]'
+        [% IF ( basketno ) %]Edit basket '[% basketname |html %]'
         [% ELSE %]Add a basket to [% booksellername %]
         [% END %]
     [% END %]
@@ -31,7 +31,7 @@
 
     [% IF ( add_form ) %]
         [% IF ( basketno ) %]
-            <h1>Edit basket [% basketname %]</h1>
+            <h1>Edit basket [% basketname |html %]</h1>
         [% ELSE %]<h1>Add a basket to [% booksellername %]</h1>
         [% END %]
     <form name="Aform" action="[% script_name %]" method="post" class="validated">
@@ -93,11 +93,11 @@
                 </li>
                 <li>
                     <label for="basketnote">Internal note: </label> &nbsp;
-                    <textarea name="basketnote" id="basketnote" rows="5" cols="40">[% basketnote %]</textarea>
+                    <textarea name="basketnote" id="basketnote" rows="5" cols="40">[% basketnote |html %]</textarea>
                 </li>
                 <li>
                     <label for="basketbooksellernote">Vendor note: </label> &nbsp;
-                    <textarea name="basketbooksellernote" id="basketbooksellernote" rows="5" cols="40">[% basketbooksellernote %]</textarea>
+                    <textarea name="basketbooksellernote" id="basketbooksellernote" rows="5" cols="40">[% basketbooksellernote |html %]</textarea>
                 </li>
                 [% IF ( contractloop ) %]
                     <li><label for="basketcontractnumber">Contract: </label>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
index 7f66ca62c0..50331d7d18 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
@@ -122,7 +122,7 @@ $(document).ready(function() {
                                         <tr>
                                     [% END %]
                                         <td>[% basket.basketno %]</td>
-                                        <td>[% basket.basketname %]</td>
+                                        <td>[% basket.basketname |html %]</td>
                                         <td>
                                             <span title="[% basket.total_items %]">[% basket.total_items %]
                                                 [% IF basket.total_items_cancelled %]
-- 
2.39.5