Bug 11307: Fix potential XSS attack in public catalog RSS feed

To test:
1/ Craft a url like
/cgi-bin/koha/opac-search.pl?q=a&count=50"'<h1>test</h1>&sort_by=acqdate_dsc&format=rss2
2/ look at the source, notice
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
3/ apply the patch, and reload url
4/ source now contains
 <opensearch:itemsPerPage>50&quot;'&lt;h1&gt;test&lt;/h1&gt;</opensearch:itemsPerPage>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt
index 2d51ba6..ff2b23c 100644 (file)
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-opensearch.tt
@@ -24,7 +24,7 @@
      <opensearch:totalResults>[% total %]</opensearch:totalResults>
      <opensearch:startIndex>[% offset %]</opensearch:startIndex>
      [% IF ( results_per_page ) %]
-       <opensearch:itemsPerPage>[% results_per_page %]</opensearch:itemsPerPage>
+       <opensearch:itemsPerPage>[% results_per_page |html %]</opensearch:itemsPerPage>
      [% ELSE %]
        <opensearch:itemsPerPage>20</opensearch:itemsPerPage>
      [% END %]