https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37655
Bug ID: 37655
Summary: Basic editor needs to HTML-escape the bib record title
used as a heading
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P3
Component: Cataloging
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
When you edit an existing record, the basic editor has an <h1> at the top of
the page saying "Editing {bib title} (Record nnn)", which fails to HTML-escape
the title. That gives you unpleasant results if the title is something like
"<h2> is a second-level heading" making the entire editor an <h2>, or it gives
you alarming results if someone has stuck a <script> in the title.
Steps to reproduce:
1. Edit any bib record, stick <script>alert('boo ❤')</script><h2> at the end of
the title in field 245 subfield a
2. Save, then edit the bib record again.
3. Oops, that alert() could have been more serious.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
