https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #23 from David Cook <[email protected]> --- (In reply to David Cook from comment #22) > We could also check URLs for characters outside the "unreserved character" > list, and percent-encode if we find any (by percent encoding components > rather than using the "url" filter). You could get false positives but > that's better than a false negative. > > That should prevent XSS and allow through properly encoded URLs (e.g. > "https://idp.com?redirect_url=https%3A%2F%2Fsomewhere_else.com";). Except that I'm wrong. It wouldn't allow through properly encoded URLs because % is not an "unreserved character". But as I said in https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223#c8 that's why URI "find all funny characters and encode the bytes" when the characters are not reserved, not unreserved, and not a % sign: https://metacpan.org/source/OALDERS/URI-1.76/lib/URI.pm#L80 -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
