Joe Atzberger wrote:
For user submitted data, yes, Koha should attend to sanitizing it. But that's not the question here.
Yes it should. An example is the "make a suggestion" page, at /cgi-bin/koha/opac-suggestions.pl in Koha/2.2.9. A rogue user can enter HTML into a suggestion and that input is not filtered. A librarian reading the suggestion could then become a victim of XSS. Google for cross site scripting for more info. It is a relatively misunderstood problem that is difficult to deal with in a consistent and reliable manner. cheers rickw -- ________________________________________________________________ Rick Welykochy || Praxis Services || Internet Driving Instructor A terrorist is someone who has a bomb but can't afford an air force. -- William Blum