http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3652 Summary: XSS vulnerabilities Product: Koha Version: rel_3_2 Platform: All OS/Version: All Status: NEW Severity: critical Priority: P5 Component: Templates AssignedTo: mjr@ttllp.co.uk ReportedBy: mjr@ttllp.co.uk Estimated Hours: 0.0 Change sponsored?: --- Koha has several XSS attack opportunities. There are two approaches to fixing this: 1. identify and ESCAPE="HTML" (or URL or JS) all places in the templates which are vulnerable; 2. set default_escape => "HTML" in C4::Output and identify the places in the templates which require ESCAPE="0" (unescaped) output. 1 (default permit) seems less secure than 2. 2 will break some things in the short term. This seems like a generalisation of bug #2690. -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.