Bug 16599: Fix XSS in opac-shareshelf.pl

Test plan:
- Create a list with the name "<script>alert(1)</script>"
- On the shelf list, click on share
=> Without this patch you will see the JS alert
=> With this patch applied you won't see it

Reported by Kaybee at Dionach

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit a44a930c076fceca0f7193f488e187d9849f89b6)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 858e3b2043e0eb1ce5bb9a6c36b3b87afb69ae22)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt
index 1bb22d7..3605ef6 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shareshelf.tt
@@ -50,7 +50,7 @@
             <ol>
             <input type="hidden" name="op" value="conf_invite"/>
             <input type="hidden" name="shelfnumber" value="[% shelfnumber %]"/>
-            <li><label for="name">List name:</label> [% shelfname %]</li>
+            <li><label for="name">List name:</label> [% shelfname | html %]</li>
             <li>
                 <label for="invite_address">Email address:</label>
                 <input id="invite_address" name="invite_address" size="40" />
@@ -67,7 +67,7 @@
     [% ELSIF op=='conf_invite' %]
         <div id="conf_invite">
         [% IF approvedaddress %]
-        <p>An invitation to share list <i>[% shelfname %]</i> will be sent shortly to [% approvedaddress %].</p>
+        <p>An invitation to share list <i>[% shelfname | html %]</i> will be sent shortly to [% approvedaddress %].</p>
         [% END %]
         [% IF failaddress %]
             <p>Something went wrong while processing the following addresses. Please check them. These are: [% failaddress %]</p>