[Bug 36385] New: HTML escaped via JavaScript should encode all entities
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 Bug ID: 36385 Summary: HTML escaped via JavaScript should encode all entities Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: kyle@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org In staff-global.js, we have a function escape_str. This function only encodes a tiny subset of html characters. We should use https://github.com/mathiasbynens/he to encode the full set of html entities. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36382 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |phil@chetcolibrary.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- (In reply to Kyle M Hall from comment #0)
In staff-global.js, we have a function escape_str. This function only encodes a tiny subset of html characters. We should use https://github.com/mathiasbynens/he to encode the full set of html entities.
In theory, escape_str might work as a "HtmlAttributeEncode" method if it were to include double quotes, single quotes, ampersands, and angle brackets. But I think we're trying to use it in context where a full HTML entity encode is needed. Overall, I think we should be writing better Javascript, but adding layers of protection is useful I think. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 Bug 36385 depends on bug 36382, which changed state. Bug 36382 Summary: XSS in showLastPatron dropdown https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36382 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org