projects / koha-ffzg.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e63f552) | patch
Bug 31219: Prevent JS injection in patron extended attributes
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Mon, 25 Jul 2022 07:23:25 +0000 (09:23 +0200)
committerLucas Gass <lucas@bywatersolutions.com>
Tue, 25 Oct 2022 17:38:22 +0000 (17:38 +0000)
commitcf773c9f1c21cd67fbb0475770b121d64bc5960f
tree11cff86e6cbf6e1f47ec4ba3fa7f8d7c62e844d1tree | snapshot
parente63f552a888e5d0f1746e23e077fb67969f09f72commit | diff
Bug 31219: Prevent JS injection in patron extended attributes

We are sanitizing other attributes but "extended patron attributes".

Test plan:
Make a patron attribute editable at the OPAC
Edit an existing patron, or register a new one
Use a script tag in the new value ("<script>alert("booh!")</script>" for
instance)
With this patch the value is remove if containing an HTML tag that is
not br b i em big small strong (see C4::Scrubber)

Signed-off-by: Mark Hofstetter <koha@trust-box.at>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
opac/opac-memberentry.pl diff | blob | history
KOHA@FFZG based on git://git.koha.org/pub/scm/koha.git