From 9bdea2e3691fd62e777cc974f89b867a69eec9a8 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 22 Jul 2016 08:30:54 +0100
Subject: [PATCH] Bug 16878: Fix XSS in opac-memberentry

The vars are gotten from the url and sent to the template as it. They
must be escaped.

Test plan:
I have not managed to create the original issue, so there is no test
plan for the XSS fix, but you can confirm there is no regression.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
---
 opac/opac-memberentry.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl
index b73ee1b0bc..61cfaa18b2 100755
--- a/opac/opac-memberentry.pl
+++ b/opac/opac-memberentry.pl
@@ -21,6 +21,7 @@ use CGI qw ( -utf8 );
 use Digest::MD5 qw( md5_base64 md5_hex );
 use String::Random qw( random_string );
 use WWW::CSRF qw(generate_csrf_token check_csrf_token CSRF_OK);
+use HTML::Entities;
 
 use C4::Auth;
 use C4::Output;
@@ -360,7 +361,7 @@ sub ParseCgiForBorrower {
     foreach ( $cgi->param ) {
         if ( $_ =~ '^borrower_' ) {
             my ($key) = substr( $_, 9 );
-            $borrower{$key} = $scrubber->scrub( $cgi->param($_) );
+            $borrower{$key} = HTML::Entities::encode( $scrubber->scrub( $cgi->param($_) ) );
         }
     }
 
-- 
2.20.1