From a503a522c2bfa34f8f64af8dbf2ecba8010b5201 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 22 Jul 2016 08:30:54 +0100 Subject: [PATCH] Bug 16878: Fix XSS in opac-memberentry MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The vars are gotten from the url and sent to the template as it. They must be escaped. Test plan: I have not managed to create the original issue, so there is no test plan for the XSS fix, but you can confirm there is no regression. Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Brendan Gallagher (cherry picked from commit 9bdea2e3691fd62e777cc974f89b867a69eec9a8) Signed-off-by: Frédéric Demians (cherry picked from commit b505c6b7d636f262eadef82984b83b5194438724) Signed-off-by: Julian Maurice --- opac/opac-memberentry.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index ddaf914110..19db974ecb 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -20,7 +20,7 @@ use Modern::Perl; use CGI qw ( -utf8 ); use Digest::MD5 qw( md5_base64 md5_hex ); use String::Random qw( random_string ); - +use HTML::Entities; use C4::Auth; use C4::Output; use C4::Members; @@ -328,7 +328,7 @@ sub ParseCgiForBorrower { foreach ( $cgi->param ) { if ( $_ =~ '^borrower_' ) { my ($key) = substr( $_, 9 ); - $borrower{$key} = $scrubber->scrub( $cgi->param($_) ); + $borrower{$key} = HTML::Entities::encode( $scrubber->scrub( $cgi->param($_) ) ); } } -- 2.39.5