[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

Thu Jan 4 17:34:14 CET 2018

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #3 from Arturo <library at sll.texas.gov> ---
Thank you for the patches, Jonathan! I've tested this out on a sandbox and it
works great! There is only one issue that I found -- the <span> tag on line 45
of opac-registration-confirmation.tt is missing a closing </span> tag. Right
now both of the tags are opening tags, so it is causing an HTML validation
error.

Despite that, I was able to complete the detailed test plan below and found no
errors. These patches work both when e-mail verification is required and when
it is not. They also work when the user supplies a password and when it is
randomly generated by Koha. My full test plan is below.

These are the sample passwords I tested with:
<password>
<%20>

<password>
<p></p>
<a href="#">link</a>
¥

Test plan:
1. Make sure a valid e-mail is stored in KohaAdminEmailAddress.
2. Set OpacPublic to Enable.
3. Set PatronSelfRegistration to Allow.
4. Be sure there is a valid patron category in
PatronSelfRegistrationDefaultCategory.
5. Set PatronSelfRegistrationBorrowerMandatoryField to include at least
"firstname|surname|email|password" so that these are required fields.
6. Set PatronSelfRegistrationPrefillForm to "Display and prefill" so that you
can see the password and have it prefilled.

To test when e-mail verification is NOT required:
1. Set PatronSelfRegistrationVerifyByEmail to "Don't require".
2. Go to the OPAC and fill out the self-registration form. Supply a password
that contains the less-than character.
3. Confirm that upon account creation, your password is correctly displayed on
the confirmation page.
4. Also confirm that you can log in to your account.

To test when e-mail verification IS required:
1. Be sure that OPACBaseUrl has a value since it is called by the
OPAC_REG_VERIFY e-mail template.
2. Set PatronSelfRegistrationVerifyByEmail to "Require."
3. Go to the OPAC and fill out the self-registration form. Supply a password
that contains the less-than character.
4. Follow the e-mail verification link created by Koha.
5. Confirm that upon account creation, your password is correctly displayed on
the confirmation page.
6. Also confirm that you can log in to your account.

To test when a password is generated randomly:
1. Remove "password" from the list of fields in
PatronSelfRegistrationBorrowerMandatoryField and repeat the two blocks of steps
above. Be sure that the randomly generated password contains a less-than
character and that it displays properly. Since these are generated randomly,
you may need to self-register multiple times until your generated password
contains this character.

-- 
You are receiving this mail because:
You are watching all bug changes.