]> git.koha-community.org Git - koha.git/commit
Bug 3652: close XSS vulnerabilities in opac-export
authorJared Camins-Esakov <jcamins@cpbibliography.com>
Mon, 15 Oct 2012 15:58:30 +0000 (11:58 -0400)
committerPaul Poulain <paul.poulain@biblibre.com>
Wed, 24 Oct 2012 13:40:18 +0000 (15:40 +0200)
commit35b6a5ea116f8cafc92c31b0879dccb1cbe23a6b
tree037810fa0a98662c1541db2b6dcc1ca1cf3fe247
parent70f2b4bd0aeb1c09e988595df7da27279659f56d
Bug 3652: close XSS vulnerabilities in opac-export

The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.

To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
   (substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
   the browser.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
opac/opac-export.pl