http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Bug ID: 11322 Summary: Suggestion "notes" field should be sanitized or escaped Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Acquisitions Assignee: koha-bugs@lists.koha-community.org Reporter: abl@biblos.pk.edu.pl QA Contact: testopia@bugs.koha-community.org It's possible for patron to make purchase suggestion from OPAC with html/javascript code within Notes: field. Such injected JS code will be stored in the database, and in certain circumstances (when managing suggestions in acquisition) it may got subsequently executed in staff WWW browser. Other suggestion fields may be affected as well, but the problem with 'notes' is potentially more severe because it's a long field - more elaborate "evil" script will fit into it. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.