Menu

#848 XSS issue in Author pages

v1.0 (example)
closed-fixed
Ahasuerus
None
5
2025-10-08
2025-10-07
Dirk Stoecker
No

If the URL of an Author Bibliography page contains author's name (as opposed to ID) and there is no matching name in the ISFDB database, the software displays an error message. The message includes the raw form of the requested author name. The name should be properly escaped in order to prevent XSS vulnerabilities.

Discussion

  • Ahasuerus

    Ahasuerus - 2025-10-07
    • summary: XSS issue --> XSS issue in Author pages
     

  • Ahasuerus

    Ahasuerus - 2025-10-07
    • status: open --> closed-fixed
    • assigned_to: Ahasuerus
     

  • Ahasuerus

    Ahasuerus - 2025-10-07

    Fixed in biblio/biblio.py, installed in SVN 1231 on 2025-10-07.

     

  • Ahasuerus

    Ahasuerus - 2025-10-08
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,25 +1 @@
-Following change is necessary to prevent an XSS issue:
-
-~~~
-Index: biblio/biblio.py
-===================================================================
---- biblio/biblio.py    (Revision 1230)
-+++ biblio/biblio.py    (Arbeitskopie)
-@@ -15,6 +15,7 @@

- import traceback
- from SQLparsing import *
- from common import *
-+from library import XMLescape
- from login import *
- from awardClass import awards
- 
-@@ -727,7 +728,7 @@
-                         self.au_data = SQLgetAuthorData(author)
- 
-                 if not self.au_data:
--                        SESSION.DisplayError('Author not found: %s' % author)
-+                        SESSION.DisplayError('Author not found: %s' % XMLescape(author))
- 
-                 # Check if the user not logged in and is trying to change the default settings for translations
-                 if not self.user.id and len(SESSION.parameters) > 1:
-~~~
+If the URL of an Author Bibliography page contains author's name (as opposed to ID) and there is no matching name in the ISFDB database, the software displays an error message. The message includes the raw form of the requested author name. The name should be properly escaped in order to prevent XSS vulnerabilities.
     

Anonymous
Anonymous

Add attachments
Cancel





MongoDB Logo MongoDB