[Koha-devel] [Bug 196] New: user input not checked for HTML tags
bugzilla-daemon at wilbur.katipo.co.nz
bugzilla-daemon at wilbur.katipo.co.nz
Mon Feb 3 19:57:04 CET 2003
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=196
Summary: user input not checked for HTML tags
Product: Koha
Version: CVS
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: OPAC
AssignedTo: chris at katipo.co.nz
ReportedBy: a.c.li at ieee.org
QAContact: koha-devel at lists.sourceforge.net
(Note: Component really should be All, but there is no All for Component )-:
A user can search for <HR>, and Koha will happily display the horizontal rule.
If the user enters something nasty like <SCRIPT>, bad things may happen.
(Entity names, on the other hands, may need to be handled; e.g., if the OPAC
uses iso-8859-1 but the library contains some Chinese books, the user might
enter some Chinese, which will get turned into numerical character entities by
the time the CGI gets the input.)
This should probably be considered a security bug.
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Koha-devel
mailing list