https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22223
--- Comment #24 from David Cook <[email protected]> --- Consider the following code: #!/usr/bin/perl use strict; use warnings; use URI; use Template; my $one = URI->new('https://www.google.com/url?q=https://buttercup.pw";></a><injection></injection><a href="'); my $two = URI->new('https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw'); my $template = Template->new(); my $output; $template->process( \*DATA, { one => $one, two => $two }, \$output ); warn $output; __DATA__ [% one %] [% two %] Consider the following output: https://www.google.com/url?q=https://buttercup.pw%22%3E%3C/a%3E%3Cinjection%3E%3C/injection%3E%3Ca%20href=%22 https://www.google.com/url?q=https%3A%2F%2Fbuttercup.pw In this case it's let the correctly percent encoded URL through, but it's also encoded the malicious URL. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
