1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
xx - is a borrowernumber.
6. Notice it is no longer executed.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
use strict;
#use warnings; FIXME - Bug 2505
use CGI qw ( -utf8 );
+use HTML::Entities;
use C4::Context;
use C4::Auth;
use C4::Output;
}
);
my $borrowernumber = $input->param('borrowernumber');
+$borrowernumber = HTML::Entities::encode($borrowernumber);
my $error = $input->param('error');
$template->param( error => $error ) if ( $error );