From 242ea9f55465c462b66caaf6fc260c4d738d07a3 Mon Sep 17 00:00:00 2001
From: Rogan Hamby <rogan.hamby@gmail.com>
Date: Thu, 3 Dec 2020 08:55:35 -0500
Subject: [PATCH] lplp1869971 use HTML::Defang to clean incoming via org unit
 setting

---
 Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 5d85c7994c..061568e1f6 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -40,6 +40,7 @@ use OpenILS::Utils::BadContact;
 use List::Util qw/max reduce/;
 
 use UUID::Tiny qw/:std/;
+use HTML::Defang;
 
 sub initialize {
     OpenILS::Application::Actor::Container->initialize();
@@ -209,11 +210,13 @@ sub set_ou_settings {
 
     my $e = new_editor(authtoken => $auth, xact => 1);
     return $e->die_event unless $e->checkauth;
+    my $defang = HTML::Defang->new;
 
     my $all_allowed = $e->allowed("UPDATE_ORG_UNIT_SETTING_ALL", $org_id);
 
     for my $name (keys %$settings) {
         my $val = $$settings{$name};
+        if ($name = 'opac.patron.custom_css') { $val = $defang->defang($val); }
 
         my $type = $e->retrieve_config_org_unit_setting_type([
             $name,
-- 
2.11.0