From 57757250d6f1c02ffd212052bac5459a76f8625c Mon Sep 17 00:00:00 2001
From: Chris Cormack <chrisc@catalyst.net.nz>
Date: Tue, 3 Dec 2013 11:46:24 +1300
Subject: [PATCH] Bug 11322: fix XSS bug in purchase suggestions - OPAC

1/ Add a suggestion in the opac, with lots of html
2/ View that suggestion in the OPAC, note the html is rendering
3/ Apply the patch
4/ Test again, in prog and bootstrap, no more rendered html

Signed-off-by: David Cook <dcook@prosentient.com.au>

Works as described.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
(cherry picked from commit 90f3b84def924dcc76719c01d75aa09241c92f8e)
Signed-off-by: Fridolin SOMERS <fridolin.somers@biblibre.com>
(cherry picked from commit 3eac4854a4309612c4bdd33eed5fbcb77d59d5ad)
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
---
 .../opac-tmpl/prog/en/modules/opac-suggestions.tt  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt
index f626eb2b86..4f93895427 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-suggestions.tt
@@ -200,16 +200,16 @@ $.tablesorter.addParser({
                 </td>[% END %]
                 <td>
                     <p><strong>[% suggestions_loo.title |html %]</strong></p>
-                    <p>[% IF ( suggestions_loo.author ) %][% suggestions_loo.author %],[% END %]
-                        [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate %],[% END %] 
-                        [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode %][% END %]
-                        [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place %])[% END %]
-                        [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle %][% END %]
+                    <p>[% IF ( suggestions_loo.author ) %][% suggestions_loo.author |html %],[% END %]
+                        [% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate |html %],[% END %]
+                        [% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode |html %][% END %]
+                        [% IF ( suggestions_loo.place ) %]([% suggestions_loo.place |html %])[% END %]
+                        [% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle |html%][% END %]
                         [% IF ( suggestions_loo.itemtype ) %] - [% suggestions_loo.itemtype %][% END %]
                     </p>
                 </td>
                 <td>
-                    [% suggestions_loo.note %]
+                    [% suggestions_loo.note |html %]
                 </td>
                 [% IF ( OPACViewOthersSuggestions ) %]<td>
                     [% IF ( suggestions_loo.branchcodesuggestedby ) %][% suggestions_loo.branchcodesuggestedby %][% ELSE %]&nbsp;[% END %]
@@ -224,7 +224,7 @@ $.tablesorter.addParser({
                     [% IF ( suggestions_loo.ORDERED ) %]Ordered by the library[% END %]
                     [% IF ( suggestions_loo.REJECTED ) %]Suggestion declined [% END %]
                     [% IF ( suggestions_loo.AVAILABLE ) %]Available in the library[% END %]
-                    [% IF ( suggestions_loo.reason ) %]([% suggestions_loo.reason %])[% END %]
+                    [% IF ( suggestions_loo.reason ) %]([% suggestions_loo.reason | html %])[% END %]
                 </td>
             </tr>
         [% END %]
-- 
2.20.1