[Koha-devel] [Bug 196] user input not checked for HTML tags

bugzilla-daemon at wilbur.katipo.co.nz bugzilla-daemon at wilbur.katipo.co.nz
Wed Apr 23 08:07:59 CEST 2003 

http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=196

paul.poulain at free.fr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |LATER



------- Additional Comments From paul.poulain at free.fr  2003-04-24 03:05 -------
The solution is to parse all templates and add "ESCAPE='HTML'" everywhere :
CC of the HTML::Template doc :

  <TMPL_VAR NAME="PARAMETER_NAME">

The <TMPL_VAR> tag is very simple. For each <TMPL_VAR> tag in the template you
call $template->param(PARAMETER_NAME => ``VALUE''). When the template is output
the <TMPL_VAR> is replaced with the VALUE text you specified. If you don't set a
parameter it just gets skipped in the output.

Optionally you can use the ``ESCAPE=HTML'' option in the tag to indicate that
you want the value to be HTML-escaped before being returned from output (the old
ESCAPE=1 syntax is still supported). This means that the ``, <, >, and &
characters get translated into &quot;, &lt;, &gt; and &amp; respectively. This
is useful when you want to use a TMPL_VAR in a context where those characters
would cause trouble. Example:

   <input name=param type=text value="<TMPL_VAR NAME="PARAM">">

If you called param() with a value like sam``my you'll get in trouble with
HTML's idea of a double-quote. On the other hand, if you use ESCAPE=HTML, like this:

   <input name=param type=text value="<TMPL_VAR ESCAPE=HTML NAME="PARAM">">

You'll get what you wanted no matter what value happens to be passed in for
param. You can also write ESCAPE=``HTML'', ESCAPE='HTML' and ESCAPE='1'.
Substitute a 0 for the HTML and you turn off escaping, which is the default anyway.

There is also the ``ESCAPE=URL'' option which may be used for VARs that populate
a URL. It will do URL escaping, like replacing ' ' with '+' and '/' with '%2F'.



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the Koha-devel mailing list