Bug 16800: Fix XSS in additem.pl

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt
index 25c6407..afcb769 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/labeledMARCdetail.tt
@@ -55,7 +55,7 @@
                                        [% INCLUDE 'cat-toolbar.inc' %]
 
                                        [% UNLESS ( popup ) %]
-                                               <h1>Labeled MARC biblio : [% biblionumber %]  ( [% bibliotitle | html %] )</h1>
+                        <h1>Labeled MARC biblio : [% biblionumber %]  ( [% bibliotitle | html %] )</h1>
                                        [% END %]
                     <p><b>With framework:
                     <select name="Frameworks" id="Frameworks" size="1" onchange="Changefwk(this);">

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/additem.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/additem.tt
index 19064ca..db83ef8 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/additem.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/cataloguing/additem.tt
@@ -2,7 +2,7 @@
 [% USE ColumnsSettings %]
 
 [% INCLUDE 'doc-head-open.inc' %]
-<title>Koha &rsaquo; Cataloging &rsaquo; [% title |html %] [% IF ( author ) %] by [% author %][% END %] (Record #[% biblionumber %]) &rsaquo; Items</title>
+<title>Koha &rsaquo; Cataloging &rsaquo; [% title |html %] [% IF ( author ) %] by [% author | html %][% END %] (Record #[% biblionumber %]) &rsaquo; Items</title>
 <link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/css/datatables.css" />
 [% INCLUDE 'doc-head-close.inc' %]
 [% INCLUDE 'datatables.inc' %]
@@ -146,7 +146,7 @@ function confirm_deletion() {
 <div id="breadcrumbs">
           <a href="/cgi-bin/koha/mainpage.pl">Home</a>
  &rsaquo; <a href="/cgi-bin/koha/cataloguing/addbooks.pl">Cataloging</a>
- &rsaquo; Edit <a href="/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=[% biblionumber %]">[% title |html %] [% IF ( author ) %] by [% author %][% END %] (Record #[% biblionumber %])</a>
+ &rsaquo; Edit <a href="/cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=[% biblionumber %]">[% title |html %] [% IF ( author ) %] by [% author | html %][% END %] (Record #[% biblionumber %])</a>
  &rsaquo; <a href="/cgi-bin/koha/cataloguing/additem.pl?biblionumber=[% biblionumber %]">Items</a>
 </div>
 
@@ -155,7 +155,7 @@ function confirm_deletion() {
    <div id="bd">
        <div id="yui-main">
 
-<h1>Items for [% title |html %] [% IF ( author ) %] by [% author %][% END %] (Record #[% biblionumber %])</h1>
+<h1>Items for [% title |html %] [% IF ( author ) %] by [% author | html %][% END %] (Record #[% biblionumber %])</h1>
 
 [% IF ( barcode_not_unique ) %]<div class="dialog alert"><strong>Error saving item</strong>: Barcode must be unique.</div>[% END %]
 [% IF ( no_next_barcode ) %]<div class="dialog alert"><strong>Error saving items</strong>: Unable to automatically determine values for barcodes. No item has been inserted.</div>[% END %]