[Koha-bugs] [Bug 2026] New: Comments allow unsanitized input
bugzilla-daemon at pippin.metavore.com
bugzilla-daemon at pippin.metavore.com
Thu Apr 17 20:25:48 CEST 2008
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=2026
Summary: Comments allow unsanitized input
Product: Koha
Version: HEAD
Platform: PC
URL: http://atz.dev.kohalibrary.com/cgi-bin/koha/opac-
detail.pl?biblionumber=147#
OS/Version: All
Status: NEW
Severity: major
Priority: P3
Component: OPAC Comments
AssignedTo: chris at bigballofwax.co.nz
ReportedBy: joe.atzberger at liblime.com
QAContact: koha-bugs at lists.koha.org
Comments have totally unsanitized input. Not even the size is checked. We
shouldn't be relying on a library aide to strip out CDATA and script links.
Try this comment text (or see URL):
Test link: <a href="http://google.com">google</a>.
Test script: <script type="text/javascript">alert("This is a test");</script>.
Of course, far more pernicious links and scripts could be injected. Human
review is not the answer for this problem, in particular since several patches
are in discussion to allow unmoderated comments.
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Koha-bugs
mailing list