From 5c3f36279b93e13be4773c7b88df39c99f8b2aca Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Mon, 13 Jan 2014 21:51:56 +0000 Subject: [PATCH] Bug 11535: sanitize input from patron self-registration form This patch adds the use of C4::Scrubber to the processing of input from the patron self-registration form, thereby closing off one avenue for Javascript injection. To test: [1] Use the OPAC self-registration form to enter a new patron, and set its address to something like: BAD [2] In the staff interface, bring up the new patron record. The address will show up in red, indicating a successful HTML injection. [3] Apply the patch and use self-registration to enter a new patron with a similar case of unwanted HTML coding. [4] Bring up the second patron in the staff interface. This time, the undesirable HTML tag should not be present. Signed-off-by: Galen Charlton Signed-off-by: Liz Rea Tags are not present on testing. Signed-off-by: Katrin Fischer Confirmed bug and that the patch fixes it. Passes all tests and QA script. Signed-off-by: Galen Charlton --- opac/opac-memberentry.pl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index c5c84e09ec..76fd32b453 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -26,6 +26,7 @@ use C4::Output; use C4::Members; use Koha::Borrower::Modifications; use C4::Branch qw(GetBranchesLoop); +use C4::Scrubber; my $cgi = new CGI; my $dbh = C4::Context->dbh; @@ -276,12 +277,13 @@ sub CheckMandatoryFields { sub ParseCgiForBorrower { my ($cgi) = @_; + my $scrubber = C4::Scrubber->new(); my %borrower; foreach ( $cgi->param ) { if ( $_ =~ '^borrower_' ) { my ($key) = substr( $_, 9 ); - $borrower{$key} = $cgi->param($_); + $borrower{$key} = $scrubber->scrub( $cgi->param($_) ); } } -- 2.39.5