From e29e6e656f483018164a6a426f5b6ba2fc3b5995 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Mon, 13 Nov 2017 09:27:44 +0530
Subject: [PATCH] Bug 19614: Fix XSS in members/pay.pl

To Test
1. Hit the page /cgi-bin/koha/members/memberentry.pl
2. Add a text in the field firstname, surname that contains js
3. Save the page.
4. click on fine tab
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit e576b89c461c87efc122816fca9f6c3ba08a1833)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
index 092cc0d8d7..6a3e90221c 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
@@ -3,7 +3,7 @@
 [% USE Branches %]
 [% USE Price %]
 [% INCLUDE 'doc-head-open.inc' %]
-<title>Koha &rsaquo; Patrons &rsaquo; Pay Fines for  [% borrower.firstname %] [% borrower.surname %]</title>
+<title>Koha &rsaquo; Patrons &rsaquo; Pay Fines for  [% borrower.firstname |html %] [% borrower.surname |html %]</title>
 [% INCLUDE 'doc-head-close.inc' %]
 <script type="text/javascript" src="[% interface %]/lib/jquery/plugins/jquery.checkboxes.min.js"></script>
 <script type= "text/javascript">
@@ -48,7 +48,7 @@ function enableCheckboxActions(){
 [% INCLUDE 'header.inc' %]
 [% INCLUDE 'patron-search.inc' %]
 
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a>  &rsaquo; Pay fines for [% borrower.firstname %] [% borrower.surname %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a>  &rsaquo; Pay fines for [% borrower.firstname |html %] [% borrower.surname |html %]</div>
 
 <div id="doc3" class="yui-t2">
    
@@ -168,7 +168,7 @@ function enableCheckboxActions(){
 </fieldset>
 </form>
 [% ELSE %]
-    <p>[% borrower.firstname %] [% borrower.surname %] has no outstanding fines.</p>
+    <p>[% borrower.firstname |html %] [% borrower.surname |html %] has no outstanding fines.</p>
 [% END %]
 </div></div>
 
-- 
2.39.5