[Koha-bugs] [Bug 22223] Item url double-encode when parameter is an encoded URL
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jul 30 06:34:13 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #16 from David Cook <dcook at prosentient.com.au> ---
I think removing the "url" filter seems like the more reasonable solution to
me.
In this case, the ITEM_RESULT.uri is coming from a stored record in the staff
interface, so we don't really need to filter unauthenticated untrusted user
input.
That said, an authenticated user with cataloguing privileges could put in
malicious Javascript into a 856$u subfield. (Then again, an authenticated user
with admin privileges could put malicious Javascript into OpacUserJS, so an
authenticated staff interface user is always a bit of a risk.)
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list