From 0ca134a191f0fb4bc7a79548e0a0e902f57969d1 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 15 Mar 2024 11:37:43 +0100
Subject: [PATCH] Bug 19613: Scrub borrowers fields: borrowernotes opacnote
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

To prevent XSS

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 83db8696ca7a83aba224a0ab645f03447a96887b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 383984a0164adabc79e91ad11e2e930f5e070ed9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 Koha/Patron.pm               |  7 +++++++
 t/db_dependent/Koha/Patron.t | 34 +++++++++++++++++++++++++++++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/Koha/Patron.pm b/Koha/Patron.pm
index c3924b8040..edb03d8cb6 100644
--- a/Koha/Patron.pm
+++ b/Koha/Patron.pm
@@ -27,6 +27,7 @@ use Try::Tiny;
 
 use C4::Context;
 use C4::Log qw( logaction );
+use C4::Scrubber;
 use Koha::Account;
 use Koha::ArticleRequests;
 use C4::Letters;
@@ -219,6 +220,12 @@ sub store {
               if defined $self->relationship
                      and $self->relationship eq "";
 
+            for my $note_field ( qw( borrowernotes opacnote ) ) {
+                if ( !$self->in_storage || $self->_result->is_column_changed($note_field) ) {
+                    $self->$note_field(C4::Scrubber->new('comment')->scrub($self->$note_field));
+                }
+            }
+
             unless ( $self->in_storage ) {    #AddMember
 
                 # Generate a valid userid/login if needed
diff --git a/t/db_dependent/Koha/Patron.t b/t/db_dependent/Koha/Patron.t
index 977ec261d6..b0be720145 100755
--- a/t/db_dependent/Koha/Patron.t
+++ b/t/db_dependent/Koha/Patron.t
@@ -19,7 +19,7 @@
 
 use Modern::Perl;
 
-use Test::More tests => 18;
+use Test::More tests => 19;
 use Test::Exception;
 use Test::Warn;
 
@@ -1292,3 +1292,35 @@ subtest 'encode_secret and decoded_secret' => sub {
 
     $schema->storage->txn_rollback;
 };
+subtest 'Scrub the note fields' => sub {
+    plan tests => 4;
+
+    $schema->storage->txn_begin;
+
+    my $bad_message     = '<script>alert("booh!")</script><span>all</span><b>good</b>now';
+    my $cleaned_message = '<span>all</span><b>good</b>now';
+    my $tmp_patron      = $builder->build_object( { class => 'Koha::Patrons' } );
+    my $patron_data     = $tmp_patron->unblessed;
+    $tmp_patron->delete;
+    delete $tmp_patron->{borrowernumber};
+
+    my $patron = Koha::Patron->new(
+
+        {
+            %$patron_data,
+            borrowernotes => $bad_message, opacnote => $bad_message,
+        }
+    )->store;
+
+    is( $patron->get_from_storage->borrowernotes, $cleaned_message );
+    is( $patron->get_from_storage->opacnote,      $cleaned_message );
+
+    $patron->borrowernotes($bad_message)->store;
+    $patron->opacnote($bad_message)->store;
+
+    is( $patron->get_from_storage->borrowernotes, $cleaned_message );
+    is( $patron->get_from_storage->opacnote,      $cleaned_message );
+
+    $schema->storage->txn_rollback;
+};
+
-- 
2.39.5