From 2ad850b0b56219d67d25065ece3b4cb2b61361ba Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 3 Aug 2016 08:49:10 +0100
Subject: [PATCH] Bug 17036: Fix XSS in circulation.pl
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Test plan:
Enter the following in the "Check out" tab:
"><script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 96a9c2715ee2e4388e105e86e221bc280e1d757f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit 3bf66eb1a1af1f917ffbf3865762cac64bfdbaef)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
index 4725984060..3042c1efc6 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
@@ -555,7 +555,7 @@ $(document).ready(function() {
 [% IF ( message ) %]
 [% INCLUDE 'patron-toolbar.inc' %]
 <h4>
-No patron matched <span class="ex">[% message %]</span>
+No patron matched <span class="ex">[% message | html %]</span>
 </h4>
 [% END %]
 
-- 
2.39.5