From 1048a5935b3f032719b10d9763df16dcd5041c64 Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Tue, 11 Aug 2020 15:22:33 +0000
Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used:
 subscription-add.tt

Test the process of adding a subscription, entering both a valid vendor
ID and a non-existent vendor ID. The non-existent vendor ID should
trigger a validation alert.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 583aad8e48790443a14ac4b7dfe85fa1bdeb91a2)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit c971585ab03bf0686d68ad2c73f02006684bc3ed)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 .../intranet-tmpl/prog/en/modules/serials/subscription-add.tt   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt
index e4d8441b7c..a82055b5a2 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt
@@ -554,6 +554,8 @@ fieldset.rows table { clear: none; margin: 0; }
         var MSG_MANA_SHOW_DETAILS = _("Show Mana results");
         var MSG_MANA_NO_SUBSCRIPTION_FOUND = _("No subscription found on Mana Knowledge Base");
         var MSG_MANA_SHARE_PATTERN = _("Please feel free to share your pattern with all others librarians once you are done");
+
+        var BOOKSELLER_IDS = [% To.json( bookseller_ids ) || '[]' | html %];
     </script>
     [% Asset.js("js/subscription-add.js") | $raw %]
     [% Asset.js("js/showpredictionpattern.js") | $raw %]
-- 
2.39.5