From a9a2b686193d08f469912009d45acb300844a4df Mon Sep 17 00:00:00 2001
From: Kyle M Hall <kyle@bywatersolutions.com>
Date: Thu, 21 Mar 2024 09:30:26 -0400
Subject: [PATCH] Bug 36382: XSS in showLastPatron dropdown

1) Set borrower surname to:
    <script>alert("here comes trouble");</script>
2) Save, nothing happens
3) Enable showLastPatron
4) Reload patron
5) Note the alert popup
6) Apply this patch
7) Reload patron
8) No alert!

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
---
 koha-tmpl/intranet-tmpl/prog/js/staff-global.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/js/staff-global.js b/koha-tmpl/intranet-tmpl/prog/js/staff-global.js
index ab24a9304e..a1bab11f80 100644
--- a/koha-tmpl/intranet-tmpl/prog/js/staff-global.js
+++ b/koha-tmpl/intranet-tmpl/prog/js/staff-global.js
@@ -19,7 +19,9 @@ function formatstr(str, col) {
 var HtmlCharsToEscape = {
     '&': '&amp;',
     '<': '&lt;',
-    '>': '&gt;'
+    '>': '&gt;',
+    "'": '&#39;',
+    '"': '&quot;'
 };
 String.prototype.escapeHtml = function() {
     return this.replace(/[&<>]/g, function(c) {
@@ -176,9 +178,9 @@ $(document).ready(function() {
             });
 
             const previous_patron = {
-                "borrowernumber": $("#hiddenborrowernumber").val(),
-                "name": $("#hiddenborrowername").val(),
-                "card": $("#hiddenborrowercard").val()
+                "borrowernumber": escape_str($("#hiddenborrowernumber").val()),
+                "name": escape_str($("#hiddenborrowername").val()),
+                "card": escape_str($("#hiddenborrowercard").val())
             };
 
             previous_patrons.unshift( previous_patron );
-- 
2.39.5