From 1dd066cb99fe67070097453a71a5414640576fb5 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Thu, 10 Aug 2017 21:51:38 +0530
Subject: [PATCH] Bug 19078 - XSS Flaws in System preferences

1. Hit /cgi-bin/koha/admin/preferences.pl
2. Enter <script>alert('amit')</script> in search system preferences box.
3. Notice the java script is executed.
4. Apply patch.
5. Reload page, and enter <script>alert('amit')</script> in search system preferences box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt
index 28ccddcff0..ed2aa03547 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt
@@ -31,7 +31,7 @@
         });
     });
     // This is here because of its dependence on template variables, everything else should go in js/pages/preferences.js - jpw
-    var to_highlight = "[% searchfield |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]";
+    var to_highlight = "[% searchfield |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') |html %]";
     var search_jumped = [% IF ( search_jumped ) %]true[% ELSE %]false[% END %];
     var MSG_NOTHING_TO_SAVE = _("Nothing to save");
     var MSG_SAVING = _("Saving...");
-- 
2.39.2