[Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff --- Comment #222 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Owen Leonard from comment #221)
I did what I hope was a fairly thorough test of the staff client and found these issues:
- IntranetCirculationHomeHTML displays HTML tags as text
Done, specific patch for this pref.
- Patron title include showing HTML: <span class="patron-title">Mr</span>
Done, see specific patch.
- Patron details -> Holds tab: Alerts data from the branches table
Done, that was tricky and a part I forgot, we need to escape data using JS, see String.prototype.escapeHtml
- Search results page layout is broken. Looks like page-numbers.inc has a section missing.
Ooops, wrong merge conflict resolution.
- Crazy encoding of action buttons on Lists page - Incorrectly escaped HTML in Notices & slips list
Both fixed now.
- Label batch list title encoding wrong - Spine label print shows HTML
Fixed but follow-ups needed (TODO LATER)
- Administration -> Libraries: Alerts data from the branches table
It comes from opac_info, which can contain html characters. See admin/branches.tt: library.opac_info is not escaped (" | $raw")
- Administration -> Item types: Alerts data from the items table
Same as before for itemtype.checkinmsg. I have added a patch for the missing $raw filter to make it explicit.
- Item searching broken: "Unsupported format html at /home/vagrant/kohaclone/catalogue/itemsearch.pl line 42."
Done, that was a hard one! -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org