[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Jan 6 20:47:03 CET 2016
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618
Katrin Fischer <katrin.fischer at bsz-bw.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Failed QA
--- Comment #102 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Hi Jonathan,
as promised, started testing this. I checked out your branch, without rebasing
it to current master.
I had to install 2 dependencies via cpanm:
sudo cpanm Template::Stash::HTML::Entities
sudo cpanm Template::Stash::AutoEscaping
We need to make sure those can be packaged!
Some glitches I found:
Prio 1:
- HTML printer slips are broken
To test: Patron account > print quick slip
Others:
- Patron account in staff > notices tab > HTML notices
To test: use an HTML version of a check-in or check-out notice
- System preferences containing HTML tags display them
To test: search for 'note' in system preferences
- Staff > detail page > MARC view > Items tab > displays in URL column
To test: Add a 952$u to one of multiple items
Some I am not totally sure about, but there is a change in behaviour to before:
- HTML tags in restriction/debarment comments
- HTML tags in messages in the patron account ('new message' link)
Stopping my testing for now.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list