[Koha-bugs] [Bug 19121] Prevent XSS in the Staff Client and the OPAC - bis
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Aug 28 00:08:50 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Chris Cormack <chris at bigballofwax.co.nz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chris at bigballofwax.co.nz
--- Comment #9 from Chris Cormack <chris at bigballofwax.co.nz> ---
(In reply to Jonathan Druart from comment #7)
> Hi Robin,
>
> Thanks for your input!
>
> I have to admit that I should have explained what I have in mind a bit more.
> At the moment we are facing lot of XSS vulnerabilities caused by input
> parameters we sent to the template:
> $template->param( foo => scalar $cgi->param('foo') )
> and them [% foo %]
>
> That is our main problem.
>
> Of course the idea was not to insert escaped strings into the DB, but to
> trust data from DB (inserted from staff, not OPAC), and not url parameters.
> Which is wrong (!) and just move the escape problem to somewhere else (we
> will have to list the variable we trust and the ones we do not). I am
> obsoleting my proposal.
>
> Fixing XSS incrementally scared me. First it will be long and hard to be
> exhaustive, then we will not be regression proof.
This won't save us from stored XSS either, I think scripting adding the
|something to all non filtered output and changing the ones we don't want is
probably the safest way to go.
Long and annoying, but in the end easy to test for with QA scripts.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list