Bug 19086: (follow-up) Fix Stored XSS in supplier.pl

In preparation:
Make sure you enter <script>alert("sth")</script>
in all fields of a new vendor that are not validated
and save.

1) Access vendor summary page.
2) Verify scripts are executed
3) Apply patch
4) Verify scripts are on longer executed

This works in combination with the other patches for XSS
on this bug.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
index a40e715..085875f 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
@@ -57,7 +57,7 @@
 [% END %]
 
 [% BLOCK show_contact %]
-    <h3>[% contact.name %]</h3>
+    <h3>[% contact.name |html %]</h3>
     <p><span class="label">Position: </span>[% contact.position |html %]</p>
     <p><span class="label">Phone: </span>[% contact.phone |html %]</p>
     <p><span class="label">Alternative phone: </span>[% contact.altphone |html %]</p>
@@ -169,7 +169,7 @@ function delete_contact(ev) {
 [% INCLUDE 'header.inc' %]
 [% INCLUDE 'acquisitions-search.inc' %]
 
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; [% IF ( enter ) %][% IF ( booksellerid ) %] <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% name %]</a> &rsaquo; Update: [% name %][% ELSE %]Add vendor[% END %] [% ELSE %][% name %][% END %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; [% IF ( enter ) %][% IF ( booksellerid ) %] <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% name |html %]</a> &rsaquo; Update: [% name %][% ELSE %]Add vendor[% END %] [% ELSE %][% name |html %][% END %]</div>
 
 <div id="doc3" class="yui-t2">
 
@@ -178,7 +178,7 @@ function delete_contact(ev) {
     <div class="yui-b">
     [% IF ( enter ) %]
         [% IF ( booksellerid ) %]
-        <h1>Update: [% name %]</h1>
+        <h1>Update: [% name |html %]</h1>
     [% ELSE %]
         <h1>Add vendor</h1>
     [% END %]
@@ -318,11 +318,11 @@ function delete_contact(ev) {
         </div>
     </form>
 [% ELSE %]
-    <h1>[% name %]</h1>
+    <h1>[% name |html %]</h1>
         <div class="yui-g">
             <div id="supplier-company-details" class="yui-u first">
                 <h2>Vendor details</h2>
-                <p><span class="label">Company name: </span>[% name %]</p>
+                <p><span class="label">Company name: </span>[% name |html %]</p>
                 <p><span class="label">Postal address: </span>[% postal |html %]</p>
                 <p><span class="label">Physical address: </span>[% address1 |html %][% address2 |html %][% address3 |html %][% address4 |html %]</p>
                 <p><span class="label">Phone: </span>[% phone |html %]</p>