[Koha-bugs] [Bug 8171] Improper escaping of quotes during z39.50 queries leads to broken html
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Jun 1 22:19:06 CEST 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8171
Chris Cormack <chris at bigballofwax.co.nz> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Improper escaping of quotes |Improper escaping of quotes
|during z39.50 queries leads |during z39.50 queries leads
|to potential malicious code |to broken html
|execution |
--- Comment #3 from Chris Cormack <chris at bigballofwax.co.nz> ---
(In reply to comment #2)
> You may be correct that I have not identified the source of the bug. You
> are incorrect when you say that the problem is that the quotation marks are
> not escaped during the actual search. The problem is that the quotation
> marks are not escaped when one chooses edit-> replace record via z39.50. If
> the title contains double quotes, everything from the first set of quotes
> back disappears, and is not transferred into the search window. The quoted
> text never makes it into the actual search.
I was just guessing where the problem was, since I haven't tried to replicate.
But I can guarantee that changing the column name in the sql, will have utterly
no effect on value that is stored in that column.
>
> It is easy to replicate this bug. Pick any title in your collection and
> edit marc field $245a by appending "test quotes" at the end of the title.
> Then click on z39.50 search. The words "test quote" do not appear in the
> pop-up search window. Therefore, whatever module controls this behavior is
> not properly escaping the quotes. If you would kindly identify this module
> I would be greatly appreciative. Thanks for your quick response and all
> your help in this matter.
>
I would look into the perl code that is outputting it and/or the template.
It is not being stored in the database incorrectly, the placeholders are
escaping all bad characters.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list