https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17045 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@bigballofwax.co.nz --- Comment #1 from Chris Cormack <chris@bigballofwax.co.nz> --- I think doing something with mana that biblibre is working on is a much better idea. Running stuff directly from a wiki that anyone can edit, is a hugely insecure idea. SELECT biblionumber, CONCAT('<script>alert\(\"',title,'\"\)</script>') AS Title FROM biblio ORDER BY biblionumber Is a safe but annoying one, it could easily be changed to run some much more dangerous js, or dump the persons sessionid etc. I would hope people are reading the sql they are cutting and pasting. -- You are receiving this mail because: You are watching all bug changes.