From d4b588aca834a94ed9fa6b5af2f8b1c1cbed2667 Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Tue, 15 Aug 2017 15:00:55 +0530
Subject: [PATCH] Bug 19110 - XSS Stored in branches.pl

To Test
1. Hit the page /cgi-bin/koha/admin/branches.pl?op=add_form_category
2. Add a text in the field Name and description that contains js.
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for js escaped execute for both pages

1. /cgi-bin/koha/admin/branches.pl?op=delete_confirm&branchcode=xx
   xx is branchcode
2. /cgi-bin/koha/admin/branches.pl?op=add_form with Group(s):

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 .../prog/en/modules/admin/branches.tt              | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt
index 7a5f22a691..fb2d723703 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/branches.tt
@@ -162,13 +162,13 @@ tinyMCE.init({
                 <ol>
                     [% FOREACH category IN categories %]
                         <li>
-                            <label for="[% category.categorycode %]">[% category.categoryname %]: </label>
+                            <label for="[% category.categorycode %]">[% category.categoryname |html %]: </label>
                             [% IF category and selected_categorycodes.grep(category.categorycode).size %]
                                 <input type="checkbox" id="[% category.categorycode %]" name="selected_categorycode_[% category.categorycode %]" checked="checked" />
                             [% ELSE %]
                                 <input type="checkbox" id="[% category.categorycode %]" name="selected_categorycode_[% category.categorycode %]" />
                             [% END %]
-                            <span class="hint">[% category.codedescription %]</span>
+                            <span class="hint">[% category.codedescription |html %]</span>
                         </li>
                     [% END %]
                 </ol>
@@ -204,7 +204,7 @@ tinyMCE.init({
 [% IF op == 'delete_confirm' and not ( items_count or patrons_count )%]
     <div class="dialog alert">
         <form action="/cgi-bin/koha/admin/branches.pl" method="post">
-            <h3>Are you sure you want to delete [% library.branchname %] ([% library.branchcode %])?</h3>
+            <h3>Are you sure you want to delete [% library.branchname |html %] ([% library.branchcode %])?</h3>
             <input type="hidden" name="op" value="delete_confirmed" />
             <input type="hidden" name="branchcode" value="[% library.branchcode |html %]" />
             <input type="hidden" name="branchname" value="[% library.branchname |html %]">
@@ -264,7 +264,7 @@ tinyMCE.init({
                         </td>
                         <td>
                             [% FOREACH category IN library.get_categories %]
-                                [% category.categoryname %]<br />
+                                [% category.categoryname |html %]<br />
                             [% END %]
                         </td>
                         <td>[% library.branchip %]</td>
@@ -296,9 +296,9 @@ tinyMCE.init({
                     <tbody>
                         [% FOREACH category IN group_type.categories %]
                             <tr>
-                                <td>[% category.categoryname %]</td>
+                                <td>[% category.categoryname |html %]</td>
                                 <td>[% category.categorycode %]</td>
-                                <td>[% category.codedescription %]</td>
+                                <td>[% category.codedescription |html %]</td>
                                 <td class="actions">
                                   <a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/branches.pl?categorycode=[% category.categorycode %]&amp;op=add_form_category"><i class="fa fa-pencil"></i> Edit</a>
                                   <a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/branches.pl?categorycode=[% category.categorycode %]&amp;op=delete_confirm_category"><i class="fa fa-trash"></i> Delete</a>
@@ -382,7 +382,7 @@ tinyMCE.init({
 
 [% IF op == 'delete_confirm_category' %]
     <div class="dialog alert">
-    <h3>Are you sure you want to delete the group '[% category.codedescription %]' ([% category.categorycode %])?</h3>
+    <h3>Are you sure you want to delete the group '[% category.codedescription |html %]' ([% category.categorycode %])?</h3>
     <form action="/cgi-bin/koha/admin/branches.pl" method="post">
         <input type="hidden" name="op" value="delete_confirmed_category" />
         <input type="hidden" name="categorycode" value="[% category.categorycode |html %]" />
-- 
2.39.5