George, Rick and all --<br><br>In short, no, MARC record subfields should not be HTML encoded. MARC is not a subset of HTML, and you can't just substitute &entities or suppress <tags> and expect everything to be OK. If you are worried about a library's professional catalogers dropping javascript exploits into MARC fields, you have much worse problems than any ILS can solve for you. Don't give staff access, let alone catalog access to such people. One the plus side, congratulations, you have catalogers that can code!<br>
<br>For user submitted data, yes, Koha should attend to sanitizing it. But that's not the question here.<br><br>--joe atzberger<br><br><br><div class="gmail_quote">On Wed, Mar 5, 2008 at 7:39 PM, Rick Welykochy <<a href="mailto:rick@praxis.com.au">rick@praxis.com.au</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">George Adams wrote:<br>
<br>
> For example, in the "Add a MARC Record" section, I can enter in a title (tag 245c) of the following:<br>
><br>
> My Book is <font size="+5">Great</font><br>
><br>
> Sure enough, when the completed MARC record is submitted, the additem.pl page will show the title with the word "Great" really big. Once added to the catalog, it will show up in the search engines with that word really big as well.<br>
><br>
> Surely everything entered by users and librarian in the OPAC and Intranet sites should be HTML-encoded if it's going to be redisplayed, right? Did I miss some setting in the Administration menus that would disallow HTML from being entered in a form, or is this a fairly big bug?<br>
<br>
<br>
</div>This is why Koha is susceptible to cross-site scripting attacks, as already<br>
raised by someone else on this list a few months back.<br>
<br>
Example:<br>
<br>
My book is <script>alert("Gotcha!")</script><br>
<br>
cheers<br>
rickw<font color="#888888"><br></font></blockquote></div><br>