https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Jonathan Druart changed:
What|Removed |Added
See Also|https://bugs.koha-community |
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Chris Cormack changed:
What|Removed |Added
CC|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Marc VĂ©ron changed:
What|Removed |Added
CC||ve...@veron.ch
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #8 from Robin Sheat ---
It will be a long and annoying process, but if done right then it'll be very
hard for someone to introduce a new vulnerability by accident.
--
You are receiving this mail
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Jonathan Druart changed:
What|Removed |Added
Attachment #66045|0
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #7 from Jonathan Druart
---
Hi Robin,
Thanks for your input!
I have to admit that I should have explained what I have in mind a bit more.
At the moment we are facing lot of XSS
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Amit Gupta changed:
What|Removed |Added
CC|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #6 from Robin Sheat ---
You can't process the data on the way in.
You will end up with corrupt data:
* in the database
* output via APIs
* in the web display whenever you're doing anything that
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #5 from Jonathan Druart
---
(In reply to Marcel de Rooy from comment #3)
> Or only pragmatically remove .. constructions from
> parameters now with Koha::CGI?
It is not only
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #4 from Jonathan Druart
---
(In reply to Katrin Fischer from comment #2)
> Ok, not totally sure if I understand this approach right, but I talked some
> to Robin this morning
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #3 from Marcel de Rooy ---
Or only pragmatically remove .. constructions from parameters
now with Koha::CGI?
--
You are receiving this mail because:
You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #2 from Katrin Fischer ---
Ok, not totally sure if I understand this approach right, but I talked some to
Robin this morning while I was working on the XSS patches and from what I
understand
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Katrin Fischer changed:
What|Removed |Added
CC|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Jonathan Druart changed:
What|Removed |Added
Status|ASSIGNED
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #1 from Jonathan Druart
---
Created attachment 66045
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66045=edit
Bug 19121: [PoC] Prevent XSS - Escape variables
15 matches
Mail list logo