Bug 17036: Fix XSS in circulation.pl

Test plan:
Enter the following in the "Check out" tab:
"><script>alert('XSS')</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
index cf1c581..c2bc755 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation.tt
@@ -516,7 +516,7 @@ $(document).ready(function() {
 [% IF ( message ) %]
 [% INCLUDE 'patron-toolbar.inc' %]
 <h4>
-No patron matched <span class="ex">[% message %]</span>
+No patron matched <span class="ex">[% message | html %]</span>
 </h4>
 [% END %]