Bug 16597: Fix XSS in opac-shareshelf

To test
1/ Go to /cgi-bin/koha/opac-shareshelf.pl?op="><script>alert('XSS')</script>&shelfnumber=5
2/ Notice you see a js alert
3/ Apply patch
4/ It is gone

Reported by
Alex Middleton at Dionach

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit c47c835672a8fcd8c7df79663443f01639fc7657)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 8d6486013b504fa652b43b2a20c3bb4da25034fd)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt
index 3605ef6..2e3ed31 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt
@@ -32,7 +32,7 @@
         <div id="shareshelf" class="maincontent">
 
     [% IF errcode %]
-        [% IF errcode==1 && op %]<div class="alert">The operation [% op %] is not supported.</div>[% END %]
+        [% IF errcode==1 && op %]<div class="alert">The operation [% op | html %] is not supported.</div>[% END %]
         [% IF errcode==1 && !op %]<div class="alert">No operation parameter has been passed.</div>[% END %]
         [% IF errcode==2 %]<div class="alert">Invalid shelf number.</div>[% END %]
         [% IF errcode==3 %]<div class="alert">The feature of sharing lists is not in use in this library.</div>[% END %]