[Koha-bugs] [Bug 7620] OPACNoResult, add search string to available parameters
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Apr 9 12:36:14 CEST 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7620
Chris Cormack <chris at bigballofwax.co.nz> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Needs Signoff |Failed QA
CC| |chris at bigballofwax.co.nz
--- Comment #5 from Chris Cormack <chris at bigballofwax.co.nz> ---
I like the idea of this patch, but unfortunately it adds an xss vulnerability.
For example, if I searched on
><script type="text/javascript" src="http://link/to/evil.js"></script> that would be substituted and output (and run).
OPACNoResult is not piped through the html filter, because then it couldn't
have links in it, so it's not a simple fix to just change that.
Probably the easiest fix is to run the $query_kw through HTML::Scrubber before
substituting it in the syspref.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list