From 53309fab4b3c2b15a1c15797be392a9ace982b47 Mon Sep 17 00:00:00 2001
From: Chris Cormack <chrisc@catalyst.net.nz>
Date: Mon, 8 Oct 2012 21:30:49 +1300
Subject: [PATCH] Bug 3652 : [SIGNED-OFF] [SECURITY] XSS vulnerability

Signed-off-by: Magnus Enger <magnus@enger.priv.no>
Works as advertised. After applying the patch, <blink>fish</blink>
is displayed on the page, but no blinking occurs.

Signed-off-by: Magnus Enger <magnus@enger.priv.no>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
---
 koha-tmpl/opac-tmpl/prog/en/modules/opac-shelves.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-shelves.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-shelves.tt
index 9e782fbd43..471dddb563 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-shelves.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-shelves.tt
@@ -223,7 +223,7 @@ $(function() {
                      </div>
                     [% END %]
                     [% IF ( paramsloo.nopermission ) %]
-                      <div class="dialog alert">ERROR: You do not have adequate permission for that action on list [% paramsloo.nopermission %].</div>
+                      <div class="dialog alert">ERROR: You do not have adequate permission for that action on list [% paramsloo.nopermission |html%].</div>
                     [% END %]
                     [% IF ( paramsloo.failgetitem ) %]
                       <div class="dialog alert">ERROR: No item found with barcode [% paramsloo.failgetitem %].</div>
-- 
2.20.1