Shifting this over the devel lists, where it can be discussed more fully. Chris
On 3/7/08, Chris Hammond-Thrasher <[EMAIL PROTECTED]> wrote: > > This could be a serious problem. Is this addressed in Koha 3? Are their > any > checks for dangerous user input in Koha 2 or 3? > > -cht > > > > Chris Hammond-Thrasher MLIS CISSP > Library Systems Manager > University of the South Pacific > Suva, Fiji > +679 3232233 > [EMAIL PROTECTED] > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Welykochy > Sent: Thursday, 6 March 2008 12:39 PM > To: George Adams > Cc: [EMAIL PROTECTED] > Subject: Re: [Koha] HTML not being encoded for display? > > > George Adams wrote: > > > For example, in the "Add a MARC Record" section, I can enter in a title > (tag 245c) of the following: > > > > My Book is <font size="+5">Great</font> > > > > Sure enough, when the completed MARC record is submitted, the additem.pl > page will show the title with the word "Great" really big. Once added to > the catalog, it will show up in the search engines with that word really > big > as well. > > > > Surely everything entered by users and librarian in the OPAC and > Intranet > sites should be HTML-encoded if it's going to be redisplayed, right? Did > I > miss some setting in the Administration menus that would disallow HTML > from > being entered in a form, or is this a fairly big bug? > > > This is why Koha is susceptible to cross-site scripting attacks, as > already > raised by someone else on this list a few months back. > > Example: > > My book is <script>alert("Gotcha!")</script> > > > cheers > rickw > > > > -- > ________________________________________________________________ > Rick Welykochy || Praxis Services || Internet Driving Instructor > > A terrorist is someone who has a bomb but can't afford an air force. > -- William Blum > _______________________________________________ > Koha mailing list > [EMAIL PROTECTED] > http://lists.katipo.co.nz/mailman/listinfo/koha > > _______________________________________________ > Koha mailing list > [EMAIL PROTECTED] > http://lists.katipo.co.nz/mailman/listinfo/koha >
_______________________________________________ Koha-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/koha-devel
