[Koha-bugs] [Bug 19121] Prevent XSS in the Staff Client and the OPAC - bis

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Aug 22 17:25:57 CEST 2017


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121

--- Comment #7 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
Hi Robin,

Thanks for your input!

I have to admit that I should have explained what I have in mind a bit more.
At the moment we are facing lot of XSS vulnerabilities caused by input
parameters we sent to the template:
  $template->param( foo => scalar $cgi->param('foo') )
and them [% foo %]

That is our main problem.

Of course the idea was not to insert escaped strings into the DB, but to trust
data from DB (inserted from staff, not OPAC), and not url parameters.
Which is wrong (!) and just move the escape problem to somewhere else (we will
have to list the variable we trust and the ones we do not). I am obsoleting my
proposal.

Fixing XSS incrementally scared me. First it will be long and hard to be
exhaustive, then we will not be regression proof.

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list