From 491a8c979c91fe447010dd139912624014549e3e Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Fri, 4 Aug 2017 10:41:49 +0530
Subject: [PATCH] Bug 19034: XSS Flaws in Z39.50/SRU servers administration

1. Hit /cgi-bin/koha/admin/z3950servers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search Z39.50/SRU servers box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search Z39.50/SRU servers box.
6. Notice it is no longer executed.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/z3950servers.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/z3950servers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/z3950servers.tt
index dda1a0f2d3..ef90d6e81b 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/z3950servers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/z3950servers.tt
@@ -225,7 +225,7 @@
     [% IF id %]
         You searched for record [% id %]
     [% ELSIF searchfield %]
-        You searched for [% searchfield %]
+        You searched for [% searchfield |html %]
     [% END %]
     <table id="serverst">
         <thead><tr><th>Target</th><th>Hostname/Port</th><th>Database</th><th>Userid</th><th>Password</th><th>Preselected</th><th>Rank</th><th>Syntax</th><th>Encoding</th><th>Timeout</th><th>Record type</th><th></th>
-- 
2.39.2