Bug 16599: Fix other potentials XSS for shelfname

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit bb4543f7db62836b048c632a0a184acb021286ad)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit dd94d1bc4ca68d8466b4d7fb154c6714a7782b58)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt
index e91c170..5654693 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt
@@ -1,7 +1,7 @@
 [% USE Koha %]
 [% IF ( fullpage ) %]
     [% INCLUDE 'doc-head-open.inc' %]
-    <title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; Download list [% shelfname %]</title>[% INCLUDE 'doc-head-close.inc' %]
+    <title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; Download list [% shelfname | html %]</title>[% INCLUDE 'doc-head-close.inc' %]
     [% BLOCK cssinclude %][% END %]
     </head>
     [% INCLUDE 'bodytag.inc' bodyid='opac-downloadlist' %]
@@ -20,7 +20,7 @@
                     [% END %]
                     <span class="divider">&rsaquo;</span>
                 </li>
-                <li>Download list <i>[% shelfname %]</i></li>
+                <li>Download list <i>[% shelfname | html %]</i></li>
             </ul>
             <div class="container-fluid">
                 <div class="row-fluid">
@@ -47,7 +47,7 @@
                                     <p>Your download should begin automatically.</p>
                                 </div>
                             [% ELSE %]
-                                <h1>Download list <i>[% shelfname %]</i></h1>
+                                <h1>Download list <i>[% shelfname | html %]</i></h1>
                                 <form method="post" action="/cgi-bin/koha/opac-downloadshelf.pl">
                                     <fieldset>
                                         <select name="format" id="dlformat" required="required">

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-results-grouped.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-results-grouped.tt
index 68c543c..0d8ace9 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-results-grouped.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-results-grouped.tt
@@ -288,7 +288,7 @@ $(document).ready(function(){
     });
     $("span.clearall").html("<a id=\"CheckNone\" href=\"#\">Clear all</a>");
     $("span.checkall").html("<a id=\"CheckAll\" href=\"#\">Select all</a>");
-    $("span.addto").html("<label for=\"addto\">Add to: </label><select name=\"addto\" id=\"addto\"><option value=\"\"></option>[% IF Koha.Preference( 'opacbookbag' ) == 1 %]<option value=\"addtocart\">Cart</option>[% END %][% IF Koha.Preference( 'virtualshelves' ) == 1 %][% IF ( loggedinusername ) %]<optgroup label=\"Lists:\">[% IF ( barshelves ) %][% FOREACH barshelvesloo IN barshelvesloop %][% IF ( category == 1 ) %]<option id=\"s[% barshelvesloo.shelfnumber %]\" value=\"addtolist\">[% barshelvesloo.shelfname %]</option>[% END %][% END %][% END %]<option value=\"newlist\">[ New list ]</option></optgroup>[% ELSE %]<option value=\"newlist\">List</option>[% END %][% END %]</select> <input type=\"submit\" class=\"submit\" value=\"Save\" />");
+    $("span.addto").html("<label for=\"addto\">Add to: </label><select name=\"addto\" id=\"addto\"><option value=\"\"></option>[% IF Koha.Preference( 'opacbookbag' ) == 1 %]<option value=\"addtocart\">Cart</option>[% END %][% IF Koha.Preference( 'virtualshelves' ) == 1 %][% IF ( loggedinusername ) %]<optgroup label=\"Lists:\">[% IF ( barshelves ) %][% FOREACH barshelvesloo IN barshelvesloop %][% IF ( category == 1 ) %]<option id=\"s[% barshelvesloo.shelfnumber %]\" value=\"addtolist\">[% barshelvesloo.shelfname | html %]</option>[% END %][% END %][% END %]<option value=\"newlist\">[ New list ]</option></optgroup>[% ELSE %]<option value=\"newlist\">List</option>[% END %][% END %]</select> <input type=\"submit\" class=\"submit\" value=\"Save\" />");
     $("#addto").change(function(){
         cartList();
     });

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves-rss.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves-rss.tt
index f25f3ed..b6d3c84 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves-rss.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves-rss.tt
@@ -3,7 +3,7 @@
 <rss version="2.0">
 
 <channel>
- <title>[% shelfname %]</title>
+ <title>[% shelfname | html %]</title>
  <link>[% OPACBaseURL %]/cgi-bin/koha/opac-shelves.pl?rss=1&amp;viewshelf=[% shelfnumber %]</link>
  <description>RSS feed for public list [% shelfname | html %]</description>