From bc0a636c18b3bb66e29dd7ca0bf4488fe742d75f Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Fri, 4 Aug 2017 10:34:19 +0530
Subject: [PATCH] Bug 19034: XSS Flaws in Patron categories pages

1. Hit /cgi-bin/koha/admin/categories.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search patron categories box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search patron categories box.
6. Notice it is no longer executed.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 28b9a1246781fb45427a593703542a99600f6d1f)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt
index e33b36fc5f..2f965dd099 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/categories.tt
@@ -335,7 +335,7 @@
 
     <h2>Patron categories</h2>
     [% IF searchfield %]
-        You Searched for [% searchfield %]</span>
+        You Searched for [% searchfield |html %]</span>
     [% END %]
     [% IF categories%]
         <table id="table_categorie">
-- 
2.39.2