For example, in the "Add a MARC Record" section, I can enter in a title (tag 245c) of the following:
My Book is <font size="+5">Great</font>
Sure enough, when the completed MARC record is submitted, the additem.pl
This could be a serious problem. Is this addressed in Koha 3? Are their any checks for dangerous user input in Koha 2 or 3? -cht Chris Hammond-Thrasher MLIS CISSP Library Systems Manager University of the South Pacific Suva, Fiji +679 3232233 hammondthrasher_c@usp.ac.fj -----Original Message----- From: koha-bounces@lists.katipo.co.nz [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of Rick Welykochy Sent: Thursday, 6 March 2008 12:39 PM To: George Adams Cc: koha@lists.katipo.co.nz Subject: Re: [Koha] HTML not being encoded for display? George Adams wrote: page will show the title with the word "Great" really big. Once added to the catalog, it will show up in the search engines with that word really big as well.
Surely everything entered by users and librarian in the OPAC and Intranet
sites should be HTML-encoded if it's going to be redisplayed, right? Did I miss some setting in the Administration menus that would disallow HTML from being entered in a form, or is this a fairly big bug? This is why Koha is susceptible to cross-site scripting attacks, as already raised by someone else on this list a few months back. Example: My book is <script>alert("Gotcha!")</script> cheers rickw -- ________________________________________________________________ Rick Welykochy || Praxis Services || Internet Driving Instructor A terrorist is someone who has a bomb but can't afford an air force. -- William Blum _______________________________________________ Koha mailing list Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha