http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=2026 Summary: Comments allow unsanitized input Product: Koha Version: HEAD Platform: PC URL: http://atz.dev.kohalibrary.com/cgi-bin/koha/opac- detail.pl?biblionumber=147# OS/Version: All Status: NEW Severity: major Priority: P3 Component: OPAC Comments AssignedTo: chris@bigballofwax.co.nz ReportedBy: joe.atzberger@liblime.com QAContact: koha-bugs@lists.koha.org Comments have totally unsanitized input. Not even the size is checked. We shouldn't be relying on a library aide to strip out CDATA and script links. Try this comment text (or see URL): Test link: <a href="http://google.com">google</a>. Test script: <script type="text/javascript">alert("This is a test");</script>. Of course, far more pernicious links and scripts could be injected. Human review is not the answer for this problem, in particular since several patches are in discussion to allow unmoderated comments. ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.