[Koha-bugs] [Bug 22268] New: Data displayed in request list datatable is not sanitized
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Feb 4 14:59:10 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22268
Bug ID: 22268
Summary: Data displayed in request list datatable is not
sanitized
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: ILL
Assignee: koha-bugs at lists.koha-community.org
Reporter: andrew.isherwood at ptfs-europe.com
Target Milestone: ---
Request data displayed in the "Request view" or similar views is sanitized by
the html filter in the template. However, the main request list table is
generated via Datatables and is not sanitized. This can be demonstrated by
entering a malicious string, such as:
<script>alert('pwned');</script>
Into the request notes field, then displaying the requests table.
I've not yet investigated if column data that is generated via render functions
is affected, or whether it's just the columns that are passed through by
Datatables.
Investigate how this has been addressed elsewhere in Koha. Also, possible
mitigations can be seen here: https://datatables.net/manual/security
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list