Shifting this over the devel lists, where it can be discussed more fully.<br><br>Chris<br><br><div><span class="gmail_quote">On 3/7/08, <b class="gmail_sendername">Chris Hammond-Thrasher</b> <<a href="mailto:hammondthrasher_c@usp.ac.fj">hammondthrasher_c@usp.ac.fj</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
This could be a serious problem. Is this addressed in Koha 3? Are their any<br> checks for dangerous user input in Koha 2 or 3?<br> <br> -cht<br> <br><br> <br> Chris Hammond-Thrasher MLIS CISSP<br> Library Systems Manager<br>
University of the South Pacific<br> Suva, Fiji<br> +679 3232233<br> <a href="mailto:hammondthrasher_c@usp.ac.fj">hammondthrasher_c@usp.ac.fj</a><br> <br><br> -----Original Message-----<br> From: <a href="mailto:koha-bounces@lists.katipo.co.nz">koha-bounces@lists.katipo.co.nz</a><br>
[mailto:<a href="mailto:koha-bounces@lists.katipo.co.nz">koha-bounces@lists.katipo.co.nz</a>] On Behalf Of Rick Welykochy<br> Sent: Thursday, 6 March 2008 12:39 PM<br> To: George Adams<br> Cc: <a href="mailto:koha@lists.katipo.co.nz">koha@lists.katipo.co.nz</a><br>
Subject: Re: [Koha] HTML not being encoded for display?<br> <br> <br>George Adams wrote:<br> <br> > For example, in the "Add a MARC Record" section, I can enter in a title<br> (tag 245c) of the following:<br>
><br> > My Book is <font size="+5">Great</font><br> ><br> > Sure enough, when the completed MARC record is submitted, the additem.pl<br> page will show the title with the word "Great" really big. Once added to<br>
the catalog, it will show up in the search engines with that word really big<br> as well.<br> ><br> > Surely everything entered by users and librarian in the OPAC and Intranet<br> sites should be HTML-encoded if it's going to be redisplayed, right? Did I<br>
miss some setting in the Administration menus that would disallow HTML from<br> being entered in a form, or is this a fairly big bug?<br> <br> <br> This is why Koha is susceptible to cross-site scripting attacks, as already<br>
raised by someone else on this list a few months back.<br> <br> Example:<br> <br> My book is <script>alert("Gotcha!")</script><br> <br> <br> cheers<br> rickw<br> <br> <br> <br> --<br> ________________________________________________________________<br>
Rick Welykochy || Praxis Services || Internet Driving Instructor<br> <br> A terrorist is someone who has a bomb but can't afford an air force.<br> -- William Blum<br> _______________________________________________<br>
Koha mailing list<br> <a href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br> <a href="http://lists.katipo.co.nz/mailman/listinfo/koha">http://lists.katipo.co.nz/mailman/listinfo/koha</a><br> <br> _______________________________________________<br>
Koha mailing list<br> <a href="mailto:Koha@lists.katipo.co.nz">Koha@lists.katipo.co.nz</a><br> <a href="http://lists.katipo.co.nz/mailman/listinfo/koha">http://lists.katipo.co.nz/mailman/listinfo/koha</a><br> </blockquote>
</div><br>