Bug 16597: Fix XSS in opac-shelves.pl

To test
1/ Hit /cgi-bin/koha/opac-shelves.pl?shelfnumber=5&category=1&op=edit_form&referer="><script>alert('XSS')</SCRIPT>
2/ Notice JS is executed
3/ Apply patch
4/ Notice it's fixed

This bug reported by

Alex Middleton at Dionach

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
index ab704ab..4050672 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt
@@ -549,7 +549,7 @@
                                 [% ELSE %]
                                     <legend>Editing <em>[% shelf.shelfname |html %]</em></legend>
                                     <input type="hidden" name="op" value="edit" />
-                                    <input type="hidden" name="referer" value="[% referer %]" />
+                                    <input type="hidden" name="referer" value="[% referer | html %]" />
                                     <input type="hidden" name="shelfnumber" value="[% shelf.shelfnumber | html %]" />
                                 [% END %]
                                 <input type="hidden" name="owner" id="owner" value="[% loggedinusernumber %]" />