[Koha-bugs] [Bug 6632] New: [security] XXS on list name (on admin part)

Tue Jul 26 11:28:52 CEST 2011

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6632

             Bug #: 6632
           Summary: [security] XXS on list name (on admin part)
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: rel_3_4
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Templates
        AssignedTo: oleonard at myacpl.org
        ReportedBy: semarie-koha at latrappe.fr
         QAContact: koha-bugs at lists.koha-community.org

There are 3 XXS on the lists detail page, for the shelve name parameter, on the
staff part.

In order to test:
 1. on opac, create a new list named 'a <blink>simple</blink> list'
 2. log as admin on staff part.
 3. go to Lists
 4. select the list named 'a <blink>simple</blink> list' (no XXS here)
 5. the 'simple' word *blink* on 3 places

The issue is mitigated by the fact that the list of Shelve display the code,
and the admin should see it before trigger the XSS.

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.