[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon at bugs.koha-community.org]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Katrin Fischer <katrin.fischer at bsz-bw.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Failed QA

--- Comment #102 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Hi Jonathan,

as promised, started testing this. I checked out your branch, without rebasing
it to current master.

I had to install 2 dependencies via cpanm:
  sudo cpanm Template::Stash::HTML::Entities
  sudo cpanm Template::Stash::AutoEscaping

We need to make sure those can be packaged!

Some glitches I found:
Prio 1:
 - HTML printer slips are broken
   To test: Patron account > print quick slip
Others:
 - Patron account in staff > notices tab > HTML notices
   To test: use an HTML version of a check-in or check-out notice
 - System preferences containing HTML tags display them
   To test: search for 'note' in system preferences
 - Staff > detail page > MARC view > Items tab >   displays in URL column
   To test: Add a 952$u to one of multiple items

Some I am not totally sure about, but there is a change in behaviour to before:
 - HTML tags in restriction/debarment comments
 - HTML tags in messages in the patron account ('new message' link)

Stopping my testing for now.

-- 
You are receiving this mail because:
You are watching all bug changes.