Bug 19086: Fix Stored XSS in subscription-add.pl

To Test
1. Hit the page /cgi-bin/koha/serials/subscription-add.pl
2. Add a text in the field Public note and Nonpublic note
   that contains js (Internalnotes, notes)
2. Save the page.
3. Notice js is execute
4. Apply patch and reload, the js is escaped

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
index 8c95459..a943120 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-detail.tt
@@ -339,8 +339,8 @@ $(document).ready(function() {
             <li><span class="label">History end date:</span> [% histenddate %]</li>
             <li><span class="label">Received issues:</span>[% recievedlist %]</li>
             <li><span class="label">Missing issues:</span>[% missinglist %]</li>
-            <li><span class="label">Nonpublic note:</span>[% internalnotes FILTER html_line_break %]</li>
-            <li><span class="label">Public note:</span>[% notes FILTER html_line_break %]</li>
+            <li><span class="label">Nonpublic note:</span>[% internalnotes FILTER html_line_break |html %]</li>
+            <li><span class="label">Public note:</span>[% notes FILTER html_line_break |html %]</li>
             <li><span class="label">History staff note:</span>[% librariannote FILTER html_line_break %]</li>
             <li><span class="label">History OPAC note:</span>[% opacnote FILTER html_line_break %]</li>
         </ol>