https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144 Bug ID: 33144 Summary: Authority lookup in advanced editor overencodes HTML Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Cataloging Assignee: koha-bugs@lists.koha-community.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org CC: jonathan.druart+koha@gmail.com, m.de.rooy@rijksmuseum.nl Depends on: 26102 Bug 26102 prevented XSS via malicious authority records (which would have been fun to exploit), but it did it by creating an HTML entity-encoded string and then handing it to a function which expected to get text, not HTML. As a result, if you look up the authority record for Simon & Schuster Audio (Firm) from the advanced editor, you wind up putting Simon & Schuster Audio (Firm) in your bib record. Steps to reproduce: 1. Set EnableAdvancedCatalogingEditor to Enable 2. Edit any Topical Term authority record, and at the end of 150 subfield a add (without the newlines, just offsetting it for easy copying) & Stuff </script><script>alert('boo ❤')</script> 3. Cataloging - Advanced Editor 4. Hit return in the editor to get a new line, type 650 and press tab three times, then Ctrl+Shift+L 5. Search for the authority you edited, click Choose Expected result: The editor should show 650 _ 4 ‡aAbduction & Stuff </script><script>alert('boo ❤')</script>‡vDrama. since that's the text of the authority you selected Actual result: The editor shows 650 _ 4 ‡aAbduction & Stuff </script> <script>alert('boo ❤');</script>‡vDrama. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26102 [Bug 26102] Javascript injection in intranet search -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.