[Koha-bugs] [Bug 8171] Improper escaping of quotes during z39.50 queries leads to broken html

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri Jun 1 22:19:06 CEST 2012 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8171

Chris Cormack <chris at bigballofwax.co.nz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Improper escaping of quotes |Improper escaping of quotes
                   |during z39.50 queries leads |during z39.50 queries leads
                   |to potential malicious code |to broken html
                   |execution                   |

--- Comment #3 from Chris Cormack <chris at bigballofwax.co.nz> ---
(In reply to comment #2)
> You may be correct that I have not identified the source of the bug.  You
> are incorrect when you say that the problem is that the quotation marks are
> not escaped during the actual search.  The problem is that the quotation
> marks are not escaped when one chooses edit-> replace record via z39.50.  If
> the title contains double quotes, everything from the first set of quotes
> back disappears, and is not transferred into the search window.  The quoted
> text never makes it into the actual search.  

I was just guessing where the problem was, since I haven't tried to replicate.
But I can guarantee that changing the column name in the sql, will have utterly
no effect on value that is stored in that column.

> 
> It is easy to replicate this bug.  Pick any title in your collection and
> edit marc field $245a by appending "test quotes" at the end of the title. 
> Then click on z39.50 search.  The words "test quote" do not appear in the
> pop-up search window. Therefore, whatever module controls this behavior is
> not properly escaping the quotes.  If you would kindly identify this module
> I would be greatly appreciative.  Thanks for your quick response and all
> your help in this matter.  
> 

I would look into the perl code that is outputting it and/or the template.

It is not being stored in the database incorrectly, the placeholders are
escaping all bad characters.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list