https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606
--- Comment #4 from Phil Ringnalda <[email protected]> --- A bug (not this bug) about properly escaping authtypecode everywhere it is used really ought to exist, but as for e.g. orderby which has four possible values, HeadingDsc or HeadingAsc or null or an XSS attack in a spearphishing link, I'm unable to come up with any scenario where it would be valuable to URI-escape the quote that starts the XSS attack as %22 so it would be carefully passed through to the search that reloads after a deletion rather than HTML-escaping it as " and letting UA error handling deal with a bogus " URI param. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
