[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Aug 9 22:38:30 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618
Jonathan Druart <jonathan.druart at bugs.koha-community.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Failed QA |Needs Signoff
--- Comment #222 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
(In reply to Owen Leonard from comment #221)
> I did what I hope was a fairly thorough test of the staff client and found
> these issues:
>
> - IntranetCirculationHomeHTML displays HTML tags as text
Done, specific patch for this pref.
> - Patron title include showing HTML: <span
> class="patron-title">Mr</span>
Done, see specific patch.
> - Patron details -> Holds tab: Alerts data from the branches table
Done, that was tricky and a part I forgot, we need to escape data using JS, see
String.prototype.escapeHtml
> - Search results page layout is broken. Looks like page-numbers.inc has a
> section missing.
Ooops, wrong merge conflict resolution.
> - Crazy encoding of action buttons on Lists page
> - Incorrectly escaped HTML in Notices & slips list
Both fixed now.
> - Label batch list title encoding wrong
> - Spine label print shows HTML
Fixed but follow-ups needed (TODO LATER)
> - Administration -> Libraries: Alerts data from the branches table
It comes from opac_info, which can contain html characters.
See admin/branches.tt: library.opac_info is not escaped (" | $raw")
> - Administration -> Item types: Alerts data from the items table
Same as before for itemtype.checkinmsg. I have added a patch for the missing
$raw filter to make it explicit.
> - Item searching broken: "Unsupported format html at
> /home/vagrant/kohaclone/catalogue/itemsearch.pl line 42."
Done, that was a hard one!
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list