[Bug 196] user input not checked for HTML tags
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=196 paul.poulain@free.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |LATER ------- Additional Comments From paul.poulain@free.fr 2003-04-24 03:05 ------- The solution is to parse all templates and add "ESCAPE='HTML'" everywhere : CC of the HTML::Template doc : <TMPL_VAR NAME="PARAMETER_NAME"> The <TMPL_VAR> tag is very simple. For each <TMPL_VAR> tag in the template you call $template->param(PARAMETER_NAME => ``VALUE''). When the template is output the <TMPL_VAR> is replaced with the VALUE text you specified. If you don't set a parameter it just gets skipped in the output. Optionally you can use the ``ESCAPE=HTML'' option in the tag to indicate that you want the value to be HTML-escaped before being returned from output (the old ESCAPE=1 syntax is still supported). This means that the ``, <, >, and & characters get translated into ", <, > and & respectively. This is useful when you want to use a TMPL_VAR in a context where those characters would cause trouble. Example: <input name=param type=text value="<TMPL_VAR NAME="PARAM">"> If you called param() with a value like sam``my you'll get in trouble with HTML's idea of a double-quote. On the other hand, if you use ESCAPE=HTML, like this: <input name=param type=text value="<TMPL_VAR ESCAPE=HTML NAME="PARAM">"> You'll get what you wanted no matter what value happens to be passed in for param. You can also write ESCAPE=``HTML'', ESCAPE='HTML' and ESCAPE='1'. Substitute a 0 for the HTML and you turn off escaping, which is the default anyway. There is also the ``ESCAPE=URL'' option which may be used for VARs that populate a URL. It will do URL escaping, like replacing ' ' with '+' and '/' with '%2F'. ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
participants (1)
-
bugzilla-daemon@wilbur.katipo.co.nz