From b505c6b7d636f262eadef82984b83b5194438724 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 22 Jul 2016 08:30:54 +0100
Subject: [PATCH] Bug 16878: Fix XSS in opac-memberentry
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

The vars are gotten from the url and sent to the template as it. They
must be escaped.

Test plan:
I have not managed to create the original issue, so there is no test
plan for the XSS fix, but you can confirm there is no regression.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit 9bdea2e3691fd62e777cc974f89b867a69eec9a8)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 opac/opac-memberentry.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl
index 7f109433a3..cd6337d787 100755
--- a/opac/opac-memberentry.pl
+++ b/opac/opac-memberentry.pl
@@ -20,7 +20,7 @@ use Modern::Perl;
 use CGI qw ( -utf8 );
 use Digest::MD5 qw( md5_base64 md5_hex );
 use String::Random qw( random_string );
-
+use HTML::Entities;
 use C4::Auth;
 use C4::Output;
 use C4::Members;
@@ -352,7 +352,7 @@ sub ParseCgiForBorrower {
     foreach ( $cgi->param ) {
         if ( $_ =~ '^borrower_' ) {
             my ($key) = substr( $_, 9 );
-            $borrower{$key} = $scrubber->scrub( $cgi->param($_) );
+            $borrower{$key} = HTML::Entities::encode( $scrubber->scrub( $cgi->param($_) ) );
         }
     }
 
-- 
2.39.5