Bug 19050 - XSS Flaws in Quick spine label creator

1. Hit /cgi-bin/koha/labels/spinelabel-home.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> barcode text box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on barcode text box.
6. Notice it is no longer executed

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt
index 85aaae4..47b3602 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/spinelabel-print.tt
@@ -23,7 +23,7 @@
 </head>
        [% IF ( BarcodeNotFound ) %]
                <body id="labels_spinelabel-print" class="tools labels">
-                       <p>The barcode [% Barcode %] was not found.</p>
+            <p>The barcode [% Barcode |html %] was not found.</p>
             <p><a href="spinelabel-home.pl">Return to spine label printer</a></p>
                </body>
        [% ELSE %]