[Koha-bugs] [Bug 26606] Correctly URI-encode query string in URL loaded after deleting an authority record
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Oct 6 22:22:41 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606
--- Comment #4 from Phil Ringnalda <phil at chetcolibrary.org> ---
A bug (not this bug) about properly escaping authtypecode everywhere it is used
really ought to exist, but as for e.g. orderby which has four possible values,
HeadingDsc or HeadingAsc or null or an XSS attack in a spearphishing link, I'm
unable to come up with any scenario where it would be valuable to URI-escape
the quote that starts the XSS attack as %22 so it would be carefully passed
through to the search that reloads after a deletion rather than HTML-escaping
it as " and letting UA error handling deal with a bogus " URI param.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list