[Koha-bugs] [Bug 33144] New: Authority lookup in advanced editor overencodes HTML

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Mon Mar 6 04:11:15 CET 2023 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144

            Bug ID: 33144
           Summary: Authority lookup in advanced editor overencodes HTML
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Cataloging
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: phil at chetcolibrary.org
        QA Contact: testopia at bugs.koha-community.org
                CC: jonathan.druart+koha at gmail.com,
                    m.de.rooy at rijksmuseum.nl
        Depends on: 26102

Bug 26102 prevented XSS via malicious authority records (which would have been
fun to exploit), but it did it by creating an HTML entity-encoded string and
then handing it to a function which expected to get text, not HTML. As a
result, if you look up the authority record for Simon & Schuster Audio (Firm)
from the advanced editor, you wind up putting Simon & Schuster Audio (Firm)
in your bib record.

Steps to reproduce:

1. Set EnableAdvancedCatalogingEditor to Enable
2. Edit any Topical Term authority record, and at the end of 150 subfield a add
(without the newlines, just offsetting it for easy copying)

 & Stuff </script><script>alert('boo ❤')</script>

3. Cataloging - Advanced Editor
4. Hit return in the editor to get a new line, type 650 and press tab three
times, then Ctrl+Shift+L
5. Search for the authority you edited, click Choose

Expected result:

The editor should show 650 _ 4 ‡aAbduction & Stuff </script><script>alert('boo
❤')</script>‡vDrama. since that's the text of the authority you selected

Actual result:

The editor shows  650 _ 4 ‡aAbduction & Stuff </script>
<script>alert('boo ❤');</script>‡vDrama.


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26102
[Bug 26102] Javascript injection in intranet search
-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.

More information about the Koha-bugs mailing list