https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23873
--- Comment #1 from Nick Clemens <n...@bywatersolutions.com> ---
The issue here is that the two sides of the replacement are each passed in a
variable.
$value =~ s/$regex->{search}/$regex->{replace}/
On the right side, we don't evaluate the variable, so anything there is treated
as text. This was encountered during the callnumber split development and is
why the code there stores the full regex in a single field.
https://blog.james.rcpt.to/2010/10/25/perl-search-and-replace-using-variables/
It seems maybe we can safely do this if we allow for /ee (double encoding) in
the regex switch, then it will prevent malicious code, but allow desired code.
In the case of callnumber splitting I think we decided too that we should trust
the end user. Someone who already has access to the staff client is hopefully
someone trustworthy
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
