From 0de6d62c499d97436035577913a75c5f6dee0fdd Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 15 Mar 2024 11:37:43 +0100
Subject: [PATCH] Bug 19613: Scrub borrowers fields: borrowernotes opacnote

To prevent XSS

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 83db8696ca7a83aba224a0ab645f03447a96887b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 383984a0164adabc79e91ad11e2e930f5e070ed9)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 Koha/Patron.pm               |  7 +++++++
 t/db_dependent/Koha/Patron.t | 34 +++++++++++++++++++++++++++++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/Koha/Patron.pm b/Koha/Patron.pm
index 1c9a518831..a4d35a3382 100644
--- a/Koha/Patron.pm
+++ b/Koha/Patron.pm
@@ -28,6 +28,7 @@ use Try::Tiny;
 use C4::Context;
 use C4::Auth qw( checkpw_hash );
 use C4::Log qw( logaction );
+use C4::Scrubber;
 use Koha::Account;
 use Koha::ArticleRequests;
 use C4::Letters qw( GetPreparedLetter EnqueueLetter SendQueuedMessages );
@@ -222,6 +223,12 @@ sub store {
               if defined $self->relationship
                      and $self->relationship eq "";
 
+            for my $note_field ( qw( borrowernotes opacnote ) ) {
+                if ( !$self->in_storage || $self->_result->is_column_changed($note_field) ) {
+                    $self->$note_field(C4::Scrubber->new('comment')->scrub($self->$note_field));
+                }
+            }
+
             unless ( $self->in_storage ) {    #AddMember
 
                 # Generate a valid userid/login if needed
diff --git a/t/db_dependent/Koha/Patron.t b/t/db_dependent/Koha/Patron.t
index ea812ebf9d..5eb35c96e2 100755
--- a/t/db_dependent/Koha/Patron.t
+++ b/t/db_dependent/Koha/Patron.t
@@ -19,7 +19,7 @@
 
 use Modern::Perl;
 
-use Test::More tests => 25;
+use Test::More tests => 26;
 use Test::Exception;
 use Test::Warn;
 
@@ -1794,3 +1794,35 @@ subtest 'update privacy tests' => sub {
 
     $schema->storage->txn_rollback;
 };
+
+subtest 'Scrub the note fields' => sub {
+    plan tests => 4;
+
+    $schema->storage->txn_begin;
+
+    my $bad_message     = '<script>alert("booh!")</script><span>all</span><b>good</b>now';
+    my $cleaned_message = '<span>all</span><b>good</b>now';
+    my $tmp_patron      = $builder->build_object( { class => 'Koha::Patrons' } );
+    my $patron_data     = $tmp_patron->unblessed;
+    $tmp_patron->delete;
+    delete $tmp_patron->{borrowernumber};
+
+    my $patron = Koha::Patron->new(
+
+        {
+            %$patron_data,
+            borrowernotes => $bad_message, opacnote => $bad_message,
+        }
+    )->store;
+
+    is( $patron->get_from_storage->borrowernotes, $cleaned_message );
+    is( $patron->get_from_storage->opacnote,      $cleaned_message );
+
+    $patron->borrowernotes($bad_message)->store;
+    $patron->opacnote($bad_message)->store;
+
+    is( $patron->get_from_storage->borrowernotes, $cleaned_message );
+    is( $patron->get_from_storage->opacnote,      $cleaned_message );
+
+    $schema->storage->txn_rollback;
+};
-- 
2.39.5