From bd298a135138703f4ab3ff4986dd964326a18ffc Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Mon, 7 Aug 2017 22:04:30 +0530
Subject: [PATCH] Bug 19052 - XSS Flaws in vendor search page

1. Hit /cgi-bin/koha/acqui/booksellers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> vendor search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on vendor search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
index 60c593d0b2..50331d7d18 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/booksellers.tt
@@ -42,7 +42,7 @@ $(document).ready(function() {
 [% INCLUDE 'header.inc' %]
 [% INCLUDE 'acquisitions-search.inc' %]
 
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; Search for vendor <em>[% supplier %]</em> </div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; Search for vendor <em>[% supplier |html %]</em> </div>
 
 <div id="doc3" class="yui-t2">
    
-- 
2.39.2