We are sanitizing other attributes but "extended patron attributes".
Test plan:
Make a patron attribute editable at the OPAC
Edit an existing patron, or register a new one
Use a script tag in the new value ("<script>alert("booh!")</script>" for
instance)
With this patch the value is remove if containing an HTML tag that is
not br b i em big small strong (see C4::Scrubber)
Signed-off-by: Mark Hofstetter <koha@trust-box.at>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit
cf773c9f1c21cd67fbb0475770b121d64bc5960f)
Signed-off-by: Arthur Suzuki <arthur.suzuki@biblibre.com>
my $delete_candidates = {};
+ my $scrubber = C4::Scrubber->new();
while ( my ( $code, $value ) = $ea->() ) {
if ( any { $_ eq $code } @editable_attribute_types ) {
# It is an editable attribute
}
else {
# we've got a value
- push @attributes, { code => $code, attribute => $value };
+ push @attributes, { code => $code, attribute => $scrubber->scrub( $value ) };
# 'code' is no longer a delete candidate
delete $delete_candidates->{$code}