[Koha-bugs] [Bug 3652] XSS vulnerabilities

[bugzilla-daemon at bugs.koha-community.org]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652

Chris Cormack <chris at bigballofwax.co.nz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #12823|0                           |1
        is obsolete|                            |

--- Comment #34 from Chris Cormack <chris at bigballofwax.co.nz> ---
Created attachment 12836
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12836&action=edit
Bug 3652: close XSS vulnerabilities in opac-export

The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.

To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
   (substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
   the browser.

Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-- 
You are receiving this mail because:
You are watching all bug changes.