From 06261dce0b397a4057d343e50aaf244ddff5f974 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Mon, 7 Aug 2017 21:24:44 +0530
Subject: [PATCH] Bug 19051 - XSS Flaws in Batch item deletion page

1. Hit /cgi-bin/koha/tools/batchMod.pl?del=1
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 560d5e472ae30d9f0d0984cd6dbf34ca12b0cae1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-del.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-del.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-del.tt
index d66d15d502..5ad619579c 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-del.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-del.tt
@@ -58,7 +58,7 @@ $(document).ready(function(){
 		</thead>
 		<tbody>
 		    [% FOREACH notfoundbarcode IN notfoundbarcodes %]
-			<tr><td>[% notfoundbarcode.barcode %]</td></tr>
+            <tr><td>[% notfoundbarcode.barcode |html %]</td></tr>
 		    [% END %]
 		</tbody>
 	    </table>
-- 
2.39.2