]> git.koha-community.org Git - koha.git/commit
Bug 3652: close XSS vulnerabilities in opac-export
authorJared Camins-Esakov <jcamins@cpbibliography.com>
Mon, 15 Oct 2012 15:58:30 +0000 (11:58 -0400)
committerChris Cormack <chrisc@catalyst.net.nz>
Mon, 22 Oct 2012 04:02:25 +0000 (17:02 +1300)
commitc69a364e4b1ceb34ba837bc4441a95db89491e7c
tree091ff256d004a992fa150189d4972de3d2d37fa6
parent94d3e6e713a6550004ead6f95953586ab814f982
Bug 3652: close XSS vulnerabilities in opac-export

The opac-export.pl script had a number of XSS vulnerabilities relating
to its error handling.

To test:
1) Go to /cgi-bin/koha/opac-export.pl?op=export&bib=2&format=<h2>evil</h2>
   (substituting a valid biblionumber for the '2')
2) Notice that "evil" is rendered as an h2 heading.
3) Apply patch.
4) Notice that you now see the h2 tags, and they are not rendered by
   the browser.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
opac/opac-export.pl