From ddaa78bdab360f41b9e3672de7f50cd3053b9116 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Mon, 25 Jul 2022 09:23:25 +0200
Subject: [PATCH] Bug 31219: Prevent JS injection in patron extended attributes

We are sanitizing other attributes but "extended patron attributes".

Test plan:
Make a patron attribute editable at the OPAC
Edit an existing patron, or register a new one
Use a script tag in the new value ("<script>alert("booh!")</script>" for
instance)
With this patch the value is remove if containing an HTML tag that is
not br b i em big small strong (see C4::Scrubber)

Signed-off-by: Mark Hofstetter <koha@trust-box.at>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 opac/opac-memberentry.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl
index f456362c3a..e1a86e65b3 100755
--- a/opac/opac-memberentry.pl
+++ b/opac/opac-memberentry.pl
@@ -739,6 +739,7 @@ sub ParsePatronAttributes {
 
     my $delete_candidates = {};
 
+    my $scrubber = C4::Scrubber->new();
     while ( my ( $code, $value ) = $ea->() ) {
         if ( any { $_ eq $code } @editable_attribute_types ) {
             # It is an editable attribute
@@ -748,7 +749,7 @@ sub ParsePatronAttributes {
             }
             else {
                 # we've got a value
-                push @attributes, { code => $code, attribute => $value };
+                push @attributes, { code => $code, attribute => $scrubber->scrub( $value ) };
 
                 # 'code' is no longer a delete candidate
                 delete $delete_candidates->{$code}
-- 
2.20.1