26 Nov
2013
26 Nov
'13
4:40 p.m.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11307 --- Comment #1 from Chris Cormack <chris@bigballofwax.co.nz> --- Created attachment 23164 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23164&action=edit Bug 11307 : Potential XSS attack in rss feed To test: 1/ Craft a url like /cgi-bin/koha/opac-search.pl?q=a&count=50"'<h1>test</h1>&sort_by=acqdate_dsc&format=rss2 2/ look at the source, notice <opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage> 3/ apply the patch, and reload url 4/ source now contains <opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage> -- You are receiving this mail because: You are watching all bug changes.