From a1045024372ceb2f149ca2c15f138f0542fc0b8c Mon Sep 17 00:00:00 2001
From: Kyle M Hall <kyle@bywatersolutions.com>
Date: Thu, 21 Mar 2024 09:30:26 -0400
Subject: [PATCH] Bug 36382: XSS in showLastPatron dropdown

1) Set borrower surname to:
    <script>alert("here comes trouble");</script>
2) Save, nothing happens
3) Enable showLastPatron
4) Reload patron
5) Note the alert popup
6) Apply this patch
7) Reload patron
8) No alert!

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 koha-tmpl/intranet-tmpl/prog/js/staff-global.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/js/staff-global.js b/koha-tmpl/intranet-tmpl/prog/js/staff-global.js
index e2b9d175d9..d68bb9a56a 100644
--- a/koha-tmpl/intranet-tmpl/prog/js/staff-global.js
+++ b/koha-tmpl/intranet-tmpl/prog/js/staff-global.js
@@ -31,6 +31,8 @@ var HtmlCharsToEscape = {
     "&": "&amp;",
     "<": "&lt;",
     ">": "&gt;",
+    "'": '&#39;',
+    '"': '&quot;'
 };
 String.prototype.escapeHtml = function () {
     return this.replace(/[&<>]/g, function (c) {
@@ -204,9 +206,9 @@ $(document).ready(function () {
             });
 
             const previous_patron = {
-                borrowernumber: $("#hiddenborrowernumber").val(),
-                name: $("#hiddenborrowername").val(),
-                card: $("#hiddenborrowercard").val(),
+                borrowernumber: escape_str($("#hiddenborrowernumber").val()),
+                name: escape_str($("#hiddenborrowername").val()),
+                card: escape_str($("#hiddenborrowercard").val())
             };
 
             previous_patrons.unshift(previous_patron);
-- 
2.39.5