[Koha] HTML not being encoded for display?
Rick Welykochy
rick at praxis.com.au
Thu Mar 6 16:22:51 NZDT 2008
Joe Atzberger wrote:
> For user submitted data, yes, Koha should attend to sanitizing it. But
> that's not the question here.
Yes it should. An example is the "make a suggestion" page, at
/cgi-bin/koha/opac-suggestions.pl
in Koha/2.2.9.
A rogue user can enter HTML into a suggestion and that input
is not filtered. A librarian reading the suggestion could then
become a victim of XSS.
Google for cross site scripting for more info. It is a relatively
misunderstood problem that is difficult to deal with in a
consistent and reliable manner.
cheers
rickw
--
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor
A terrorist is someone who has a bomb but can't afford an air force.
-- William Blum
More information about the Koha
mailing list