From 9bdea2e3691fd62e777cc974f89b867a69eec9a8 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 22 Jul 2016 08:30:54 +0100 Subject: [PATCH] Bug 16878: Fix XSS in opac-memberentry The vars are gotten from the url and sent to the template as it. They must be escaped. Test plan: I have not managed to create the original issue, so there is no test plan for the XSS fix, but you can confirm there is no regression. Signed-off-by: Chris Cormack Signed-off-by: Katrin Fischer Signed-off-by: Brendan Gallagher --- opac/opac-memberentry.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index b73ee1b0bc..61cfaa18b2 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -21,6 +21,7 @@ use CGI qw ( -utf8 ); use Digest::MD5 qw( md5_base64 md5_hex ); use String::Random qw( random_string ); use WWW::CSRF qw(generate_csrf_token check_csrf_token CSRF_OK); +use HTML::Entities; use C4::Auth; use C4::Output; @@ -360,7 +361,7 @@ sub ParseCgiForBorrower { foreach ( $cgi->param ) { if ( $_ =~ '^borrower_' ) { my ($key) = substr( $_, 9 ); - $borrower{$key} = $scrubber->scrub( $cgi->param($_) ); + $borrower{$key} = HTML::Entities::encode( $scrubber->scrub( $cgi->param($_) ) ); } } -- 2.39.5