[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart <jonathan.druart at bugs.koha-community.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Failed QA                   |Needs Signoff

--- Comment #222 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
(In reply to Owen Leonard from comment #221)
> I did what I hope was a fairly thorough test of the staff client and found
> these issues:
> 
> - IntranetCirculationHomeHTML displays HTML tags as text

Done, specific patch for this pref.

> - Patron title include showing HTML:  <span
> class="patron-title">Mr</span>

Done, see specific patch.

> - Patron details -> Holds tab: Alerts data from the branches table

Done, that was tricky and a part I forgot, we need to escape data using JS, see
String.prototype.escapeHtml

> - Search results page layout is broken. Looks like page-numbers.inc has a
> section missing.

Ooops, wrong merge conflict resolution.

> - Crazy encoding of action buttons on Lists page
> - Incorrectly escaped HTML in Notices & slips list

Both fixed now.

> - Label batch list title encoding wrong
> - Spine label print shows HTML

Fixed but follow-ups needed (TODO LATER)

> - Administration -> Libraries: Alerts data from the branches table

It comes from opac_info, which can contain html characters.
See admin/branches.tt: library.opac_info is not escaped (" | $raw")

> - Administration -> Item types: Alerts data from the items table

Same as before for itemtype.checkinmsg. I have added a patch for the missing
$raw filter to make it explicit.

> - Item searching broken: "Unsupported format html at
> /home/vagrant/kohaclone/catalogue/itemsearch.pl line 42."

Done, that was a hard one!

-- 
You are receiving this mail because:
You are watching all bug changes.