[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

Tue Sep 1 09:57:30 CEST 2015

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #73 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
(In reply to Joonas Kylmälä from comment #68)
> (In reply to Jonathan Druart from comment #28)
> > Created attachment 41347 [details] [review] [review]
> > Bug 13618: Remove html filters at the OPAC
> > 
> > This patch removes the html filters at the OPAC, if necessary.
> > 
> > Generated with:
> >   perl -p -i -e 's/\ ?\|\ ?html(\ ?)%/\1%/g' **/*.tt **/*.inc
> 
> @@ -85,7 +85,7 @@
>                                  [% END %]
>                              ).
>                          [% END %]
> -                        <a href="[% OPACBaseURL
> %]/cgi-bin/koha/opac-search.pl?[% query_cgi | url %][% limit_cgi |html | url
> %]&count=[% countrss |html %]&sort_by=acqdate_dsc&forma~
> +                        <a href="[% OPACBaseURL
> %]/cgi-bin/koha/opac-search.pl?[% query_cgi | url %][% limit_cgi |html | url
> %]&count=[% countrss %]&sort_by=acqdate_dsc&format=rss2~
>                      [% END # / IF total %]
>                      </p>
>                  [% END # / IF searchdesc %]
> 
> Shouldn't that one also be removed?

I don't think so, I think I have tested them.

(In reply to Joonas Kylmälä from comment #71)
> Why not have also raw SCOUserCSS if we let the user have OPACUserCSS as raw?

Done in another patch.

(In reply to Joonas Kylmälä from comment #72)
> The front page in Staff side doesn't render html under News->What's Next.

New patch pushed to the remote branch.

-- 
You are receiving this mail because:
You are watching all bug changes.