From 542c0dbbaa8bff5a101058e0e2397e21edf8f192 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Tue, 2 Aug 2016 15:41:49 +0100
Subject: [PATCH] Bug 17028: Fix XSS in reserve/request.pl
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Test plan:
Hit
  /cgi-bin/koha/reserve/request.pl?biblionumber=1"><script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 66f81fc2101f194d39592bc28f3e2ff69764bc00)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 reserve/request.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/reserve/request.pl b/reserve/request.pl
index 1826e0014a..8e151d2295 100755
--- a/reserve/request.pl
+++ b/reserve/request.pl
@@ -212,6 +212,7 @@ my $borrowerinfo = GetMember( borrowernumber => $borrowernumber_hold );
 my $itemdata_enumchron = 0;
 my @biblioloop = ();
 foreach my $biblionumber (@biblionumbers) {
+    next unless $biblionumber =~ m|^\d+$|;
 
     my %biblioloopiter = ();
 
-- 
2.39.5