[Koha-devel] Re: [Koha] HTML not being encoded for display?

Rick Welykochy rick at praxis.com.au
Fri Mar 7 01:05:47 CET 2008 

Chris Cormack wrote:

> Short answer is yes, there are more checks on the use side (opac). The 
> staff interface has some checking, but as Joe pointed out if you have 
> staff inserting html into your marc data, you have bigger problems.

What checks can you do? Characters like "<" and "&" are valid in titles.
They cannot be escaped before storing in the database. I could easily
imagine a book or article entitled "The danger of <script>s", for example.

Joe misses the point with a glib answer "you have bigger problems".

First off, staff entering data into the catalogue would hardly be
typing in "&" characters maliciously. Rather, they do not know that
this is a special character in HTML. Neither should they have to know this.
The software must handle it and handle it correctly.

Second, more and more Koha instances are now on the Internet. It
ain't staff I am worried about. It is cookie and identity thieves
who can access the OPAC (P=public) and enter XSS exploits into
things like suggestion boxes and registration forms. Innocent
staff are caught when they open admin pages that transmit XSS data.
And it is their cookies (to the Intranet area) that can then be stolen.
This is the fast track to your server being compromised and zombied.


> Ill let the other developers answer more fully, but one thing to bear in 
> mind is that the data is used in more than just a web interface, so 
> storing things like html entities in the database isnt feasible.

Exactly. It takes careful encoding of data which is served up on
web pages. The encoding varies, depending on whether the data is
inline in text, inside a tag attribute, inside a URL or nested
at a 2nd level in any of the above. Not an easy task to get correct.
This is why XSS is so prevalent on the Internet.



cheers
rickw


-- 
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor

A terrorist is someone who has a bomb but can't afford an air force.
      -- William Blum

More information about the Koha-devel mailing list