Bug 11535: sanitize input from patron self-registration form

This patch adds the use of C4::Scrubber to the processing of input
from the patron self-registration form, thereby closing off one
avenue for Javascript injection.

To test:

[1] Use the OPAC self-registration form to enter a new patron,
    and set its address to something like:

    <span style="color: red;">BAD</span>

[2] In the staff interface, bring up the new patron record.  The
    address will show up in red, indicating a successful HTML
    injection.
[3] Apply the patch and use self-registration to enter a new
    patron with a similar case of unwanted HTML coding.
[4] Bring up the second patron in the staff interface.  This time,
    the undesirable HTML tag should not be present.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Tags are not present on testing.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Confirmed bug and that the patch fixes it.
Passes all tests and QA script.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>

diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl
index c5c84e0..76fd32b 100755 (executable)
--- a/opac/opac-memberentry.pl
+++ b/opac/opac-memberentry.pl
@@ -26,6 +26,7 @@ use C4::Output;
 use C4::Members;
 use Koha::Borrower::Modifications;
 use C4::Branch qw(GetBranchesLoop);
+use C4::Scrubber;
 
 my $cgi = new CGI;
 my $dbh = C4::Context->dbh;
@@ -276,12 +277,13 @@ sub CheckMandatoryFields {
 sub ParseCgiForBorrower {
     my ($cgi) = @_;
 
+    my $scrubber = C4::Scrubber->new();
     my %borrower;
 
     foreach ( $cgi->param ) {
         if ( $_ =~ '^borrower_' ) {
             my ($key) = substr( $_, 9 );
-            $borrower{$key} = $cgi->param($_);
+            $borrower{$key} = $scrubber->scrub( $cgi->param($_) );
         }
     }