Bug 19086: Fix Stored XSS in circulation.pl

[srvgit] / members / statistics.pl

diff --git a/members/statistics.pl b/members/statistics.pl
index a59ce7b..55d5ed0 100755 (executable)
--- a/members/statistics.pl
+++ b/members/statistics.pl
@@ -31,7 +31,7 @@ use C4::Members;
 use C4::Members::Statistics;
 use C4::Members::Attributes qw(GetBorrowerAttributes);
 use C4::Output;
-use Koha::Patron::Images;
+use Koha::Patrons;
 
 my $input = new CGI;
 
@@ -48,13 +48,17 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
 my $borrowernumber = $input->param('borrowernumber');
 
 # Set informations for the patron
-my $borrower = GetMember( borrowernumber => $borrowernumber );
-if ( not defined $borrower ) {
-    $template->param (unknowuser => 1);
-    output_html_with_http_headers $input, $cookie, $template->output;
+my $patron = Koha::Patrons->find( $borrowernumber );
+unless ( $patron ) {
+    print $input->redirect("/cgi-bin/koha/circ/circulation.pl?borrowernumber=$borrowernumber");
     exit;
 }
 
+my $category = $patron->category;
+my $borrower= $patron->unblessed;
+$borrower->{description} = $category->description;
+$borrower->{category_type} = $category->category_type;
+
 foreach my $key ( keys %$borrower ) {
     $template->param( $key => $borrower->{$key} );
 }
@@ -92,12 +96,11 @@ if (C4::Context->preference('ExtendedPatronAttributes')) {
     );
 }
 
-my $patron_image = Koha::Patron::Images->find($borrower->{borrowernumber});
-$template->param( picture => 1 ) if $patron_image;
+$template->param( picture => 1 ) if $patron->image;
 
 $template->param(%$borrower);
 
-$template->param( adultborrower => 1 ) if ( $borrower->{category_type} eq 'A' );
+$template->param( adultborrower => 1 ) if ( $borrower->{category_type} eq 'A' || $borrower->{category_type} eq 'I' );
 
 $template->param(
     statisticsview     => 1,