The vars are gotten from the url and sent to the template as it. They
must be escaped.
Test plan:
I have not managed to create the original issue, so there is no test
plan for the XSS fix, but you can confirm there is no regression.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
use Digest::MD5 qw( md5_base64 md5_hex );
use String::Random qw( random_string );
use WWW::CSRF qw(generate_csrf_token check_csrf_token CSRF_OK);
+use HTML::Entities;
use C4::Auth;
use C4::Output;
foreach ( $cgi->param ) {
if ( $_ =~ '^borrower_' ) {
my ($key) = substr( $_, 9 );
- $borrower{$key} = $scrubber->scrub( $cgi->param($_) );
+ $borrower{$key} = HTML::Entities::encode( $scrubber->scrub( $cgi->param($_) ) );
}
}