|
| From: | Chris Cormack |
| Subject: | [Koha-devel] Re: [Koha] HTML not being encoded for display? |
| Date: | Fri, 7 Mar 2008 12:07:40 +1300 |
This could be a serious problem. Is this addressed in Koha 3? Are their any
checks for dangerous user input in Koha 2 or 3?
-cht
Chris Hammond-Thrasher MLIS CISSP
Library Systems Manager
University of the South Pacific
Suva, Fiji
+679 3232233
address@hidden
-----Original Message-----
From: address@hidden
[mailto:address@hidden] On Behalf Of Rick Welykochy
Sent: Thursday, 6 March 2008 12:39 PM
To: George Adams
Cc: address@hidden
Subject: Re: [Koha] HTML not being encoded for display?
George Adams wrote:
> For example, in the "Add a MARC Record" section, I can enter in a title
(tag 245c) of the following:
>
> My Book is <font size="+5">Great</font>
>
> Sure enough, when the completed MARC record is submitted, the additem.pl
page will show the title with the word "Great" really big. Once added to
the catalog, it will show up in the search engines with that word really big
as well.
>
> Surely everything entered by users and librarian in the OPAC and Intranet
sites should be HTML-encoded if it's going to be redisplayed, right? Did I
miss some setting in the Administration menus that would disallow HTML from
being entered in a form, or is this a fairly big bug?
This is why Koha is susceptible to cross-site scripting attacks, as already
raised by someone else on this list a few months back.
Example:
My book is <script>alert("Gotcha!")</script>
cheers
rickw
--
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor
A terrorist is someone who has a bomb but can't afford an air force.
-- William Blum
_______________________________________________
Koha mailing list
address@hidden
http://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________
Koha mailing list
address@hidden
http://lists.katipo.co.nz/mailman/listinfo/koha
| [Prev in Thread] | Current Thread | [Next in Thread] |