From 570eb4026642f71e462c7746a9c91721aa9334c1 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Mon, 18 Sep 2017 14:53:41 -0300
Subject: [PATCH] Bug 19333: Fix XSS in opac-shelves

category is send back to the template, it must be escaped

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 .../opac-tmpl/bootstrap/en/modules/opac-shelves.tt   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
index 0791bb6269..e6e81ab625 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
@@ -171,7 +171,7 @@
                                         <form method="get" action="/cgi-bin/koha/opac-shelves.pl" class="form-inline">
                                             <input type="hidden" name="op" value="edit_form" />
                                             <input type="hidden" name="referer" value="view" />
-                                            <input type='hidden' name='category' value='[% category %]' />
+                                            <input type='hidden' name='category' value='[% category | html %]' />
                                             <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
                                             <input type="submit" class="editshelf" value="Edit list" />
                                         </form>
@@ -179,7 +179,7 @@
                                         <form method="post" action="/cgi-bin/koha/opac-shelves.pl" class="form-inline">
                                             <input type="hidden" name="op" value="delete" />
                                             <input type="hidden" name="referer" value="list" />
-                                            <input type='hidden' name='category' value='[% category %]' />
+                                            <input type='hidden' name='category' value='[% category | html %]' />
                                             <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
                                             <input type="submit" class="deleteshelf" value="Delete list" onclick="return confirmDelete(MSG_CONFIRM_DELETE_LIST);"/>
                                         </form>
@@ -190,7 +190,7 @@
                                         <form action="/cgi-bin/koha/opac-shelves.pl" method="post" class="form-inline">
                                             <input type="hidden" name="op" value="remove_share" />
                                             <input type="hidden" name="referer" value="list" />
-                                            <input type='hidden' name='category' value='[% category %]' />
+                                            <input type='hidden' name='category' value='[% category | html %]' />
                                             <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
                                             <input type="submit" class="deleteshelf" onclick="return confirmDelete(MSG_CONFIRM_REMOVE_SHARE);" value="Remove share" />
                                         </form>
@@ -692,7 +692,7 @@
                                                         <form action="/cgi-bin/koha/opac-shelves.pl" method="post" class="form-inline">
                                                             <input type="hidden" name="op" value="delete" />
                                                             <input type="hidden" name="referer" value="list" />
-                                                            <input type='hidden' name='category' value='[% category %]' />
+                                                            <input type='hidden' name='category' value='[% category | html %]' />
                                                             <input type="hidden" name="shelfnumber" value="[% s.shelfnumber | html %]" />
                                                             <input type="submit" class="deleteshelf" onclick="return confirmDelete(MSG_CONFIRM_DELETE_LIST);" value="Delete" />
                                                         </form>
@@ -704,7 +704,7 @@
                                                         <form action="opac-shelves.pl" method="post" class="form-inline">
                                                             <input type="hidden" name="op" value="remove_share" />
                                                             <input type="hidden" name="referer" value="list" />
-                                                            <input type='hidden' name='category' value='[% category %]' />
+                                                            <input type='hidden' name='category' value='[% category | html %]' />
                                                             <input type="hidden" name="shelfnumber" value="[% s.shelfnumber | html %]" />
                                                             <input type="submit" class="deleteshelf" onclick="return confirmDelete(MSG_CONFIRM_REMOVE_SHARE);" value="Remove share" />
                                                         </form>
@@ -957,7 +957,7 @@ function AdjustRemark() {
     if( $("#category").length > 0 ) {
         category = $("#category").val();
     } else {
-        category = [% category %];
+        category = [% category | html %];
     }
     var perms = $("#allow_changes_from").val();
 
-- 
2.39.2