Bug 17028: Fix XSS in reserve/request.pl

Test plan:
Hit
  /cgi-bin/koha/reserve/request.pl?biblionumber=1"><script type="text/javascript">alert("XSS")</script>

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

diff --git a/reserve/request.pl b/reserve/request.pl
index 8e1f458..1980abb 100755 (executable)
--- a/reserve/request.pl
+++ b/reserve/request.pl
@@ -212,6 +212,7 @@ my $borrowerinfo = GetMember( borrowernumber => $borrowernumber_hold );
 my $itemdata_enumchron = 0;
 my @biblioloop = ();
 foreach my $biblionumber (@biblionumbers) {
+    next unless $biblionumber =~ m|^\d+$|;
 
     my %biblioloopiter = ();