[Koha-bugs] [Bug 11535] Patron self-registration form does not sanitize its input
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jan 14 00:18:03 CET 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11535
Liz Rea <liz at catalyst.net.nz> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #24242|0 |1
is obsolete| |
--- Comment #2 from Liz Rea <liz at catalyst.net.nz> ---
Created attachment 24247
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=24247&action=edit
Bug 11535: sanitize input from patron self-registration form
This patch adds the use of C4::Scrubber to the processing of input
from the patron self-registration form, thereby closing off one
avenue for Javascript injection.
To test:
[1] Use the OPAC self-registration form to enter a new patron,
and set its address to something like:
<span style="color: red;">BAD</span>
[2] In the staff interface, bring up the new patron record. The
address will show up in red, indicating a successful HTML
injection.
[3] Apply the patch and use self-registration to enter a new
patron with a similar case of unwanted HTML coding.
[4] Bring up the second patron in the staff interface. This time,
the undesirable HTML tag should not be present.
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Liz Rea <liz at catalyst.net.nz>
Tags are not present on testing.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list