https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25339
--- Comment #7 from David Cook <dc...@prosentient.com.au> --- (In reply to Jonathan Druart from comment #6) > Why did you pick those 2 scripts? And why only biblionumber? > Wise questions. They were flagged by a security consultant, so I fixed them locally, and posted the patches here to be upstreamed. > If you want to fix this problem (it is not really an issue imo), you should > do it all over the place, where we retrieve a variable that is supposed to > be an id and we send it back to the template. I am pretty sure there are > others. > As you say, it's not really a (critical) issue, as we've got the XSS risk handled by the templates. Imho, it's just a bit embarrassing that we don't validate the data more - but not problematic per se. That said, I don't see an issue with patching it in some places and not all places. (After all, previous efforts by Jared seem to have only patched it in some places and not all places.) I agree that there are certainly other places where this happens too. > That being said, I don't see biblionumber passed to the template from > opac-review.pl. Good catch! The reason is actually rather amusing. It appears Bug 25340 (a bug I reported the same day as this one but Owen fixed) removed the biblionumber issue from opac-review.pl as well. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
