[Koha-bugs] [Bug 33144] New: Authority lookup in advanced editor overencodes HTML
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Mar 6 04:11:15 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144
Bug ID: 33144
Summary: Authority lookup in advanced editor overencodes HTML
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: Cataloging
Assignee: koha-bugs at lists.koha-community.org
Reporter: phil at chetcolibrary.org
QA Contact: testopia at bugs.koha-community.org
CC: jonathan.druart+koha at gmail.com,
m.de.rooy at rijksmuseum.nl
Depends on: 26102
Bug 26102 prevented XSS via malicious authority records (which would have been
fun to exploit), but it did it by creating an HTML entity-encoded string and
then handing it to a function which expected to get text, not HTML. As a
result, if you look up the authority record for Simon & Schuster Audio (Firm)
from the advanced editor, you wind up putting Simon & Schuster Audio (Firm)
in your bib record.
Steps to reproduce:
1. Set EnableAdvancedCatalogingEditor to Enable
2. Edit any Topical Term authority record, and at the end of 150 subfield a add
(without the newlines, just offsetting it for easy copying)
& Stuff </script><script>alert('boo ❤')</script>
3. Cataloging - Advanced Editor
4. Hit return in the editor to get a new line, type 650 and press tab three
times, then Ctrl+Shift+L
5. Search for the authority you edited, click Choose
Expected result:
The editor should show 650 _ 4 ‡aAbduction & Stuff </script><script>alert('boo
❤')</script>‡vDrama. since that's the text of the authority you selected
Actual result:
The editor shows 650 _ 4 ‡aAbduction & Stuff </script>
<script>alert('boo ❤');</script>‡vDrama.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26102
[Bug 26102] Javascript injection in intranet search
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list