Bug 17029: Fix XSS in catalogue/*detail.pl

[koha.git] / catalogue / labeledMARCdetail.pl

diff --git a/catalogue/labeledMARCdetail.pl b/catalogue/labeledMARCdetail.pl
index 11f8f85..7c488e0 100755 (executable)
--- a/catalogue/labeledMARCdetail.pl
+++ b/catalogue/labeledMARCdetail.pl
@@ -4,22 +4,23 @@
 #
 # This file is part of Koha.
 #
-# Koha is free software; you can redistribute it and/or modify it under the
-# terms of the GNU General Public License as published by the Free Software
-# Foundation; either version 2 of the License, or (at your option) any later
-# version.
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
 #
-# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
-# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
-# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License along
-# with Koha; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use strict;
 use warnings;
-use CGI; 
+use CGI qw ( -utf8 ); 
+use HTML::Entities;
 use MARC::Record;
 use C4::Auth;
 use C4::Context;
@@ -34,6 +35,7 @@ use C4::Koha qw( GetFrameworksLoop );
 my $query        = new CGI;
 my $dbh          = C4::Context->dbh;
 my $biblionumber = $query->param('biblionumber');
+$biblionumber = HTML::Entities::encode($biblionumber);
 my $frameworkcode = $query->param('frameworkcode');
 $frameworkcode = GetFrameworkCode( $biblionumber ) unless ($frameworkcode);
 my $popup        =
@@ -114,7 +116,7 @@ $template->param (
        labeledmarcview => 1,
        z3950_search_params             => C4::Search::z3950_search_args($biblio),
        C4::Search::enabled_staff_search_views,
-    searchid            => $query->param('searchid'),
+    searchid            => scalar $query->param('searchid'),
 );
 
 my @allorders_using_biblio = GetOrdersByBiblionumber ($biblionumber);