[Koha-bugs] [Bug 26606] Correctly URI-encode query string in URL loaded after deleting an authority record
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Oct 7 00:37:09 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606
--- Comment #5 from David Cook <dcook at prosentient.com.au> ---
(In reply to Phil Ringnalda from comment #4)
> A bug (not this bug) about properly escaping authtypecode everywhere it is
> used really ought to exist
In this case, I think a lot of those "html" filters were added by an automated
script to add XSS protection. Not sure why the value would've had a "url"
filter instead of a "uri" filter. Probably just human error.
> I'm unable to come up with any scenario where it would be valuable to
> URI-escape the quote that starts the XSS attack as %22 so it would be
> carefully passed through to the search that reloads after a deletion rather
> than HTML-escaping it as " and letting UA error handling deal with a
> bogus " URI param.
I do not understand what you're trying to say here.
As for my earlier comment, I was saying that we should be using uri filters
instead of html filters when URI building. But yes not in this bug.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list