https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26606
--- Comment #5 from David Cook <[email protected]> --- (In reply to Phil Ringnalda from comment #4) > A bug (not this bug) about properly escaping authtypecode everywhere it is > used really ought to exist In this case, I think a lot of those "html" filters were added by an automated script to add XSS protection. Not sure why the value would've had a "url" filter instead of a "uri" filter. Probably just human error. > I'm unable to come up with any scenario where it would be valuable to > URI-escape the quote that starts the XSS attack as %22 so it would be > carefully passed through to the search that reloads after a deletion rather > than HTML-escaping it as " and letting UA error handling deal with a > bogus " URI param. I do not understand what you're trying to say here. As for my earlier comment, I was saying that we should be using uri filters instead of html filters when URI building. But yes not in this bug. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
