https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #22 from David Cook <[email protected]> --- But... doing nothing is also risky. I suppose we could validate that it's actually a URL, but that's easy to bypass. But we can't re-encode the URI components either because that could compromise the semantics of the URL. I suppose one could argue that it's better to compromise the semantics of a good URL than to permit an unchallenged bad URL. We could also check URLs for characters outside the "unreserved character" list, and percent-encode if we find any (by percent encoding components rather than using the "url" filter). You could get false positives but that's better than a false negative. That should prevent XSS and allow through properly encoded URLs (e.g. "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com";). -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
