git.koha-community.org Git - koha.git/commit

author	Galen Charlton <gmc@esilibrary.com>
	Mon, 13 Jan 2014 21:51:56 +0000 (21:51 +0000)
committer	Fridolin SOMERS <fridolin.somers@biblibre.com>
	Tue, 14 Jan 2014 16:43:36 +0000 (17:43 +0100)
commit	faf3b5f3f84b0c8b8497fdac368edf00dfb546da
tree	a612f593d9e8b16c62da1c9b0009b4baa863d3a8	tree \| snapshot
parent	810168643d02ebb69c2d56a5fa17b811b06d68a8	commit \| diff

Bug 11535: sanitize input from patron self-registration form

This patch adds the use of C4::Scrubber to the processing of input
from the patron self-registration form, thereby closing off one
avenue for Javascript injection.

To test:

[1] Use the OPAC self-registration form to enter a new patron,
    and set its address to something like:

    <span style="color: red;">BAD</span>

[2] In the staff interface, bring up the new patron record.  The
    address will show up in red, indicating a successful HTML
    injection.
[3] Apply the patch and use self-registration to enter a new
    patron with a similar case of unwanted HTML coding.
[4] Bring up the second patron in the staff interface.  This time,
    the undesirable HTML tag should not be present.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Tags are not present on testing.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Confirmed bug and that the patch fixes it.
Passes all tests and QA script.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
(cherry picked from commit 5c3f36279b93e13be4773c7b88df39c99f8b2aca)
Signed-off-by: Fridolin SOMERS <fridolin.somers@biblibre.com>