Bug 16878: Fix XSS in opac-memberentry

The vars are gotten from the url and sent to the template as it. They
must be escaped.

Test plan:
I have not managed to create the original issue, so there is no test
plan for the XSS fix, but you can confirm there is no regression.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl
index b73ee1b..61cfaa1 100755 (executable)
--- a/opac/opac-memberentry.pl
+++ b/opac/opac-memberentry.pl
@@ -21,6 +21,7 @@ use CGI qw ( -utf8 );
 use Digest::MD5 qw( md5_base64 md5_hex );
 use String::Random qw( random_string );
 use WWW::CSRF qw(generate_csrf_token check_csrf_token CSRF_OK);
+use HTML::Entities;
 
 use C4::Auth;
 use C4::Output;
@@ -360,7 +361,7 @@ sub ParseCgiForBorrower {
     foreach ( $cgi->param ) {
         if ( $_ =~ '^borrower_' ) {
             my ($key) = substr( $_, 9 );
-            $borrower{$key} = $scrubber->scrub( $cgi->param($_) );
+            $borrower{$key} = HTML::Entities::encode( $scrubber->scrub( $cgi->param($_) ) );
         }
     }