From 542c0dbbaa8bff5a101058e0e2397e21edf8f192 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 2 Aug 2016 15:41:49 +0100 Subject: [PATCH] Bug 17028: Fix XSS in reserve/request.pl MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Test plan: Hit /cgi-bin/koha/reserve/request.pl?biblionumber=1"> => Without this patch you will see the alert => With this patch, no more alert Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Brendan Gallagher (cherry picked from commit 66f81fc2101f194d39592bc28f3e2ff69764bc00) Signed-off-by: Frédéric Demians --- reserve/request.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/reserve/request.pl b/reserve/request.pl index 1826e0014a..8e151d2295 100755 --- a/reserve/request.pl +++ b/reserve/request.pl @@ -212,6 +212,7 @@ my $borrowerinfo = GetMember( borrowernumber => $borrowernumber_hold ); my $itemdata_enumchron = 0; my @biblioloop = (); foreach my $biblionumber (@biblionumbers) { + next unless $biblionumber =~ m|^\d+$|; my %biblioloopiter = (); -- 2.39.5