http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7620 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA CC| |chris@bigballofwax.co.nz --- Comment #5 from Chris Cormack <chris@bigballofwax.co.nz> --- I like the idea of this patch, but unfortunately it adds an xss vulnerability. For example, if I searched on
<script type="text/javascript" src="http://link/to/evil.js"></script> that would be substituted and output (and run).
OPACNoResult is not piped through the html filter, because then it couldn't have links in it, so it's not a simple fix to just change that. Probably the easiest fix is to run the $query_kw through HTML::Scrubber before substituting it in the syspref. -- You are receiving this mail because: You are watching all bug changes.