[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Feb 7 16:49:43 CET 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618
Jonathan Druart <jonathan.druart at bugs.koha-community.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #47425|0 |1
is obsolete| |
Attachment #47426|0 |1
is obsolete| |
Attachment #47427|0 |1
is obsolete| |
Attachment #47428|0 |1
is obsolete| |
Attachment #47429|0 |1
is obsolete| |
Attachment #47430|0 |1
is obsolete| |
Attachment #47431|0 |1
is obsolete| |
Attachment #47432|0 |1
is obsolete| |
Attachment #47433|0 |1
is obsolete| |
Attachment #47434|0 |1
is obsolete| |
Attachment #47435|0 |1
is obsolete| |
Attachment #47436|0 |1
is obsolete| |
Attachment #47437|0 |1
is obsolete| |
Attachment #47438|0 |1
is obsolete| |
Attachment #47439|0 |1
is obsolete| |
Attachment #47440|0 |1
is obsolete| |
Attachment #47441|0 |1
is obsolete| |
Attachment #47442|0 |1
is obsolete| |
Attachment #47443|0 |1
is obsolete| |
Attachment #47444|0 |1
is obsolete| |
Attachment #47445|0 |1
is obsolete| |
Attachment #47446|0 |1
is obsolete| |
Attachment #47447|0 |1
is obsolete| |
Attachment #47448|0 |1
is obsolete| |
Attachment #47449|0 |1
is obsolete| |
Attachment #47450|0 |1
is obsolete| |
Attachment #47451|0 |1
is obsolete| |
Attachment #47452|0 |1
is obsolete| |
--- Comment #213 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
Created attachment 59983
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59983&action=edit
Bug 13618: Use Template::Stash::AutoEscaping to use the html filter
Test plan:
0/ sudo cpanm Template::Stash::AutoEscaping
1/ Verify don't reproduce the XSS issue described on bug 13609 and other
xss related bugs.
2/ Try to find some encoding issues (detail page, search results,
facets, etc.)
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Remove html filters at the OPAC
This patch removes the html filters at the OPAC, if necessary.
Generated with:
perl -p -i -e 's/\ ?\|\ ?html(\ ?)%/\1%/g' **/*.tt **/*.inc
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific places where we don't need to escape variables
There is no need to escape the html generated by the XSLT.
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Remove html filters at the intranet
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific places where we don't need to escape variables - intra
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific for pagination_bar
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific for the ISBD view
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Fix error 'Not a GLOB reference'
The interpolation of a variable on including a file caused an unexpected
error:
Template process failed: undef error - Not a GLOB reference at
/usr/lib/i386-linux-gnu/perl5/5.20/Template/Provider.pm line 619.
The easier fix is to replace it with a SWITCH.
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific for IntranetUser* and OPACUser* prefs
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific for ColumnsSettings
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618 - memberentrygen.tt errors Not a GLOB reference
Like Jonathan said:
The interpolation of a variable on including a file caused an unexpected
error:
Template process failed: undef error - Not a GLOB reference at
/usr/lib/i386-linux-gnu/perl5/5.20/Template/Provider.pm line 619.
Replaced it with a SWITCH, like the other patch for this similar error.
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific for other prefs
opacmainuserblock
opacnav
opacnavright
opaccredits
opacheader
opaccustomsearch
opacmysummaryhtml
opacmysummarynote
opacnavbottom
opacnoresultsfound
opacresultssidebar
opacsearchfortitlein
restrictedpagecontent
PatronSelfRegistrationAdditionalInstructions
intranetmainuserblock
intranetnav
intranetslipprinterjs
OpacSuppressionMessage
SCOUserCSS
SCOUserJS
SelfCheckHelpMessage
NoLoginInstructions
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific for Salutation on editing a patron
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Specific for XSLTBloc
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Fix escape on sending baskets or shelves by email
Test plan:
Send baskets and shelves by email.
With or without this patch, you should not see any changes.
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Fix for news
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala at gmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: Fix last occurrences recently introduced to master
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: followup to remove tabs
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
This followup on top of remote branch
Only remove tabs and trailing spaces to make koha-qa pass
Bug 13618: Fix for edit biblios and items
On editing biblios or items, the marc_lib, marc_value and javascript
values are often populated with html code which needs to be displayed
raw.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: (follow-up) Specific for ColumnsSettings
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel at gmail.com>
Bug 13618: (follow-up) add missing lines for opac-shelves
Proposed patch to fix opac-shelves
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Bug 13618: Remove html filters for newly pushed code
Bug 13618: Fix for system preference description
If a syspref description contains html tag, do not display them
Bug 13618: Do not display and html tags in item fields content
Note that there might be other occurrences to fix!
Bug 13618: Do not display html tags in patron's notices
Bug 13618: Fix for debarredcomment and patron messages
At the OPAC and intranet.
Bug 13618: (follow-up) Specific for other prefs
follow-up for SlipCSS and printslip
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list