[Koha-bugs] [Bug 7316] New: Missing escaping in search results
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sun Dec 4 18:26:13 CET 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7316
Bug #: 7316
Summary: Missing escaping in search results
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: ASSIGNED
Severity: critical
Priority: P1 - high
Component: Architecture, internals, and plumbing
AssignedTo: semarie-koha at latrappe.fr
ReportedBy: semarie-koha at latrappe.fr
QAContact: ian.walls at bywatersolutions.com
CC: paul.poulain at biblibre.com
In opac (and intranet), in search results, two parameters need escaping in
title (html element):
- query_desc
- limit_desc
Impacted templates:
koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt
koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt
This is a security issue, as it could be used to perform XSS (I have tested).
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list