From b31c732105a3a882510ff25406998ea7a77d7ece Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 15 Mar 2024 11:37:43 +0100 Subject: [PATCH] Bug 19613: Scrub borrowers fields: borrowernotes opacnote To prevent XSS Signed-off-by: David Cook Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi --- Koha/Patron.pm | 7 +++++++ t/db_dependent/Koha/Patron.t | 34 +++++++++++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/Koha/Patron.pm b/Koha/Patron.pm index 1524419a7d..6e5da3f51e 100644 --- a/Koha/Patron.pm +++ b/Koha/Patron.pm @@ -30,6 +30,7 @@ use C4::Auth qw( checkpw_hash ); use C4::Context; use C4::Letters qw( GetPreparedLetter EnqueueLetter SendQueuedMessages ); use C4::Log qw( logaction ); +use C4::Scrubber; use Koha::Account; use Koha::ArticleRequests; use Koha::AuthUtils; @@ -231,6 +232,12 @@ sub store { if defined $self->relationship and $self->relationship eq ""; + for my $note_field ( qw( borrowernotes opacnote ) ) { + if ( !$self->in_storage || $self->_result->is_column_changed($note_field) ) { + $self->$note_field(C4::Scrubber->new('comment')->scrub($self->$note_field)); + } + } + unless ( $self->in_storage ) { #AddMember # Generate a valid userid/login if needed diff --git a/t/db_dependent/Koha/Patron.t b/t/db_dependent/Koha/Patron.t index 9d5e3e0c6c..bad1cc1bfa 100755 --- a/t/db_dependent/Koha/Patron.t +++ b/t/db_dependent/Koha/Patron.t @@ -19,7 +19,7 @@ use Modern::Perl; -use Test::More tests => 32; +use Test::More tests => 33; use Test::Exception; use Test::Warn; use Time::Fake; @@ -2247,3 +2247,35 @@ subtest 'guarantor requirements tests' => sub { 'Koha::Exceptions::Patron::Relationship::NoGuarantor', 'Exception thrown when guarantor is deleted.'; }; + +subtest 'Scrub the note fields' => sub { + plan tests => 4; + + $schema->storage->txn_begin; + + my $bad_message = 'allgoodnow'; + my $cleaned_message = 'allgoodnow'; + my $tmp_patron = $builder->build_object( { class => 'Koha::Patrons' } ); + my $patron_data = $tmp_patron->unblessed; + $tmp_patron->delete; + delete $tmp_patron->{borrowernumber}; + + my $patron = Koha::Patron->new( + + { + %$patron_data, + borrowernotes => $bad_message, opacnote => $bad_message, + } + )->store; + + is( $patron->get_from_storage->borrowernotes, $cleaned_message ); + is( $patron->get_from_storage->opacnote, $cleaned_message ); + + $patron->borrowernotes($bad_message)->store; + $patron->opacnote($bad_message)->store; + + is( $patron->get_from_storage->borrowernotes, $cleaned_message ); + is( $patron->get_from_storage->opacnote, $cleaned_message ); + + $schema->storage->txn_rollback; +}; -- 2.39.5