From 03798eebdc5f8a4dc62bf286486b6948a46f827e Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 25 Jul 2022 09:23:25 +0200 Subject: [PATCH] Bug 31219: Prevent JS injection in patron extended attributes We are sanitizing other attributes but "extended patron attributes". Test plan: Make a patron attribute editable at the OPAC Edit an existing patron, or register a new one Use a script tag in the new value ("" for instance) With this patch the value is remove if containing an HTML tag that is not br b i em big small strong (see C4::Scrubber) Signed-off-by: Mark Hofstetter Signed-off-by: Katrin Fischer Signed-off-by: Lucas Gass (cherry picked from commit cf773c9f1c21cd67fbb0475770b121d64bc5960f) Signed-off-by: Arthur Suzuki --- opac/opac-memberentry.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index 479bc9171f..9c8ccfcd5e 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -737,6 +737,7 @@ sub ParsePatronAttributes { my $delete_candidates = {}; + my $scrubber = C4::Scrubber->new(); while ( my ( $code, $value ) = $ea->() ) { if ( any { $_ eq $code } @editable_attribute_types ) { # It is an editable attribute @@ -746,7 +747,7 @@ sub ParsePatronAttributes { } else { # we've got a value - push @attributes, { code => $code, attribute => $value }; + push @attributes, { code => $code, attribute => $scrubber->scrub( $value ) }; # 'code' is no longer a delete candidate delete $delete_candidates->{$code} -- 2.39.5