From 40d22a14c6fec64e50dee5b6b6bb155303951d25 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 25 Jul 2022 09:23:25 +0200 Subject: [PATCH] Bug 31219: Prevent JS injection in patron extended attributes We are sanitizing other attributes but "extended patron attributes". Test plan: Make a patron attribute editable at the OPAC Edit an existing patron, or register a new one Use a script tag in the new value ("" for instance) With this patch the value is remove if containing an HTML tag that is not br b i em big small strong (see C4::Scrubber) Signed-off-by: Mark Hofstetter Signed-off-by: Katrin Fischer Signed-off-by: Lucas Gass (cherry picked from commit ddaa78bdab360f41b9e3672de7f50cd3053b9116) Signed-off-by: Victor Grousset/tuxayo --- opac/opac-memberentry.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index 91b966d5f8..0f36d6be51 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -704,6 +704,7 @@ sub ParsePatronAttributes { my $delete_candidates = {}; + my $scrubber = C4::Scrubber->new(); while ( my ( $code, $value ) = $ea->() ) { if ( any { $_ eq $code } @editable_attribute_types ) { # It is an editable attribute @@ -713,7 +714,7 @@ sub ParsePatronAttributes { } else { # we've got a value - push @attributes, { code => $code, attribute => $value }; + push @attributes, { code => $code, attribute => $scrubber->scrub( $value ) }; # 'code' is no longer a delete candidate delete $delete_candidates->{$code} -- 2.39.5