]> git.koha-community.org Git - koha.git/commit
Bug 31219: Prevent JS injection in patron extended attributes
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Mon, 25 Jul 2022 07:23:25 +0000 (09:23 +0200)
committerVictor Grousset/tuxayo <victor@tuxayo.net>
Mon, 24 Oct 2022 16:05:06 +0000 (18:05 +0200)
commit40d22a14c6fec64e50dee5b6b6bb155303951d25
treeb951911887e2b01d1f685f5dd2a3a03cae1bb98b
parent66b25af88fcc12c982bdd10d943ce88407a030f2
Bug 31219: Prevent JS injection in patron extended attributes

We are sanitizing other attributes but "extended patron attributes".

Test plan:
Make a patron attribute editable at the OPAC
Edit an existing patron, or register a new one
Use a script tag in the new value ("<script>alert("booh!")</script>" for
instance)
With this patch the value is remove if containing an HTML tag that is
not br b i em big small strong (see C4::Scrubber)

Signed-off-by: Mark Hofstetter <koha@trust-box.at>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ddaa78bdab360f41b9e3672de7f50cd3053b9116)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
opac/opac-memberentry.pl