From 5e2f38a958276308e600698590942f025e17cffa Mon Sep 17 00:00:00 2001
From: Amit Gupta <amit.gupta@informaticsglobal.com>
Date: Mon, 7 Aug 2017 20:49:56 +0530
Subject: [PATCH] Bug 19050 - XSS Flaws in Quick spine label creator

1. Hit /cgi-bin/koha/labels/spinelabel-home.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> barcode text box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on barcode text box.
6. Notice it is no longer executed

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
---
 .../intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt
index 85aaae4756..47b3602395 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt
@@ -23,7 +23,7 @@
 </head>
 	[% IF ( BarcodeNotFound ) %]
 		<body id="labels_spinelabel-print" class="tools labels">
-			<p>The barcode [% Barcode %] was not found.</p>
+            <p>The barcode [% Barcode |html %] was not found.</p>
             <p><a href="spinelabel-home.pl">Return to spine label printer</a></p>
 		</body>
 	[% ELSE %]
-- 
2.39.5