[Koha] HTML not being encoded for display?
Chris Cormack
chris at bigballofwax.co.nz
Fri Mar 7 12:07:40 NZDT 2008
Shifting this over the devel lists, where it can be discussed more fully.
Chris
On 3/7/08, Chris Hammond-Thrasher <hammondthrasher_c at usp.ac.fj> wrote:
>
> This could be a serious problem. Is this addressed in Koha 3? Are their
> any
> checks for dangerous user input in Koha 2 or 3?
>
> -cht
>
>
>
> Chris Hammond-Thrasher MLIS CISSP
> Library Systems Manager
> University of the South Pacific
> Suva, Fiji
> +679 3232233
> hammondthrasher_c at usp.ac.fj
>
>
> -----Original Message-----
> From: koha-bounces at lists.katipo.co.nz
> [mailto:koha-bounces at lists.katipo.co.nz] On Behalf Of Rick Welykochy
> Sent: Thursday, 6 March 2008 12:39 PM
> To: George Adams
> Cc: koha at lists.katipo.co.nz
> Subject: Re: [Koha] HTML not being encoded for display?
>
>
> George Adams wrote:
>
> > For example, in the "Add a MARC Record" section, I can enter in a title
> (tag 245c) of the following:
> >
> > My Book is <font size="+5">Great</font>
> >
> > Sure enough, when the completed MARC record is submitted, the additem.pl
> page will show the title with the word "Great" really big. Once added to
> the catalog, it will show up in the search engines with that word really
> big
> as well.
> >
> > Surely everything entered by users and librarian in the OPAC and
> Intranet
> sites should be HTML-encoded if it's going to be redisplayed, right? Did
> I
> miss some setting in the Administration menus that would disallow HTML
> from
> being entered in a form, or is this a fairly big bug?
>
>
> This is why Koha is susceptible to cross-site scripting attacks, as
> already
> raised by someone else on this list a few months back.
>
> Example:
>
> My book is <script>alert("Gotcha!")</script>
>
>
> cheers
> rickw
>
>
>
> --
> ________________________________________________________________
> Rick Welykochy || Praxis Services || Internet Driving Instructor
>
> A terrorist is someone who has a bomb but can't afford an air force.
> -- William Blum
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.katipo.co.nz/pipermail/koha/attachments/20080307/2606237f/attachment.htm
More information about the Koha
mailing list