https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Phil Ringnalda from comment #4)
A bug (not this bug) about properly escaping authtypecode everywhere it is used really ought to exist
In this case, I think a lot of those "html" filters were added by an automated script to add XSS protection. Not sure why the value would've had a "url" filter instead of a "uri" filter. Probably just human error.
I'm unable to come up with any scenario where it would be valuable to URI-escape the quote that starts the XSS attack as %22 so it would be carefully passed through to the search that reloads after a deletion rather than HTML-escaping it as " and letting UA error handling deal with a bogus " URI param.
I do not understand what you're trying to say here. As for my earlier comment, I was saying that we should be using uri filters instead of html filters when URI building. But yes not in this bug. -- You are receiving this mail because: You are watching all bug changes.