[Koha-bugs] [Bug 22836] New: Tests catching XSS vulnerabilities in pagination are not correct

Fri May 3 03:04:13 CEST 2019

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22836

            Bug ID: 22836
           Summary: Tests catching XSS vulnerabilities in pagination are
                    not correct
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Hardware: All
                OS: All
            Status: ASSIGNED
          Severity: normal
          Priority: P5 - low
         Component: Test Suite
          Assignee: jonathan.druart at bugs.koha-community.org
          Reporter: jonathan.druart at bugs.koha-community.org
        QA Contact: testopia at bugs.koha-community.org
  Target Milestone: ---

See bug 22478 comments 44 and 45.

The tests were added originally to catch XSS vulnerabilities when pagination
was used (shelves, reviews, authorities searches, etc.).

With one of the QA followup (Handle category in opac-shelves like a boolean) we
did not trust the escape by resetting the "category" if not set to 1 or 2. We
should rely on the correct filtering instead.

However, if one really wants to use this change, we should adapt the tests to
catch the correct filtered values (and so do not use unlike), in another area
(i.e. not shelves, where we are handling the invalid values differently).

I am suggestion to revert those patches, as it is the easiest solution.

-- 
You are receiving this mail because:
You are watching all bug changes.