Bug 31219: Prevent JS injection in patron extended attributes
We are sanitizing other attributes but "extended patron attributes".
Test plan:
Make a patron attribute editable at the OPAC
Edit an existing patron, or register a new one
Use a script tag in the new value ("<script>alert("booh!")</script>" for
instance)
With this patch the value is remove if containing an HTML tag that is
not br b i em big small strong (see C4::Scrubber)
Signed-off-by: Mark Hofstetter <koha@trust-box.at> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
projects / koha.git / commit