From cd4c959f7226b060f683f5571f030cc2df7539ca Mon Sep 17 00:00:00 2001
From: Chris Cormack <chrisc@catalyst.net.nz>
Date: Fri, 19 Jun 2015 11:41:45 +1200
Subject: [PATCH] Bug 14418: More XSS vulnerabilities in opac-shelves.pl

To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script>  Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
---
 koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
index b586ac1241..1dae5796ec 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
@@ -533,7 +533,7 @@
                     [% IF ( edit ) %]
                         <form method="post" action="/cgi-bin/koha/opac-shelves.pl">
                             <input type="hidden" name="op" value="modifsave" />
-                            <input type="hidden" name="display" value="[% display %]" />
+                            <input type="hidden" name="display" value="[% display |html %]" />
                             <input type="hidden" name="shelfnumber" value="[% shelfnumber | html %]" />
                             <fieldset class="rows">
                                 <legend>Editing <em>[% shelfname |html %]</em></legend>
-- 
2.20.1