From da03dbd458c59da0b9213efacd3425e89b453332 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 12 Aug 2016 10:42:28 +0100
Subject: [PATCH] Bug 17114: Fix XSS in picture-upload.pl

To reproduce:
1/ cp your_image.jpg 'test<svg onload=alert(1)>.jpg'
2/ Use the upload picture tool to upload this file
=> Without this patch, the alert is show
=> With this patch, the filename is correctly displayed and no alert

Note that the cardnumber var was not escaped neither, it's now.

Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
---
 .../intranet-tmpl/prog/en/modules/tools/picture-upload.tt     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt
index 3b1305f5e7..28fce72aad 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/picture-upload.tt
@@ -67,8 +67,8 @@
                         [% IF ( COUNT.TCOUNTS ) %]<li>[% COUNT.TCOUNTS %] image(s) moved into the database:</li>[% END %]
                             [% FOREACH filename IN COUNT.filenames %]
                                 <tr>
-                                <td>[% filename.source %]</td>
-                                <td><a href="/cgi-bin/koha/circ/circulation.pl?findborrower=[% filename.cardnumber %]">[% filename.cardnumber %]</a></td>
+                                <td>[% filename.source | html %]</td>
+                                <td><a href="/cgi-bin/koha/circ/circulation.pl?findborrower=[% filename.cardnumber | url %]">[% filename.cardnumber | html %]</a></td>
                                 <td>
                                     [% IF ( filename.filerrors ) %]
                                     [% FOREACH filerror IN filename.filerrors %]
-- 
2.20.1