[Koha-bugs] [Bug 11307] Potential XSS attack vector in opac rss feed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Nov 26 18:42:19 CET 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11307
Martin Renvoize <martin.renvoize at ptfs-europe.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #23169|0 |1
is obsolete| |
Attachment #23170|0 |1
is obsolete| |
--- Comment #6 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
Created attachment 23175
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23175&action=edit
[PASSED QA] Bug 11307 : Potential XSS attack in rss feed
To test:
1/ Craft a url like
/cgi-bin/koha/opac-search.pl?q=a&count=50"'<h1>test</h1>&sort_by=acqdate_dsc&format=rss2
2/ look at the source, notice
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
3/ apply the patch, and reload url
4/ source now contains
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
Signed-off-by: Mark Tompsett <mtompset at hotmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize at ptfs-europe.com>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list