MrDys
commented
12 years ago Original reporter: jrochkind
Closed MrDys closed 12 years ago
MrDys
commented
12 years ago Original reporter: jrochkind
MrDys
commented
12 years ago jrochkind: commit e5d841a
CODEBASE-302: The MARC view ("Librarian View") passes exact text found in the MARC record without escaping for HTML; if the MARC values include angle-brackets, they will be rendered as literals, which is inappropriate.
(Theoretically, this could be a security problem leaving things open to a kind of 'injection attack', if an attacker were able to get his stuff into a marc record that was then indexed! That doesn't seem like such a realistic/feasible attack, but still should be fixed.)