From 8c3da351307be664a879148ce4ca9215ca1c2da7 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Fri, 4 Aug 2017 09:44:52 +0530
Subject: [PATCH] Bug 19033: XSS Flaws in Currencies and exchange page

1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
index 9b7e1062b4..d7285b8cf1 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
@@ -198,7 +198,7 @@
     [% END %]
 
     [% IF searchfield %]
-        You searched for [% searchfield %]</span>
+        You searched for [% searchfield |html %]</span>
     [% END %]
 
     <table id='currencies-table'>
-- 
2.39.5