[Koha-devel] Escaping single quotes in template variables
David Cook
dcook at prosentient.com.au
Tue Jun 23 08:45:58 CEST 2015
Hi all:
It looks like we're not validating the data that goes into "cardnumber".
This causes problems in at least one spot (in members-toolbar.inc, which is
loaded by circulation.pl).
If the cardnumber contains an apostrophe, you'll get an Uncaught SyntaxError
in the javascript function confirm_reregistration.
Unfortunately, using the "uri" filter won't fix this problem:
"As of version 2.26 of the Template Toolkit, the uri and url filters use the
unsafe character set defined by RFC3986. This means that certain characters
("(", ")", "~", "*", "!" and the single quote "'") are now deemed unsafe and
will be escaped as hex character sequences. The double quote character ('"')
is now deemed safe and will not be escaped"
(http://template-toolkit.org/docs/manual/Filters.html#section_uri).
The required version in Koha is 2.22 and the version in Debian appears to be
2.24. I'm currently using 2.25.
So I'm not really sure where to go from here but here are some ideas:
1) Upgrade Template Toolkit to 2.26 (possibly not so easy from a Debian
perspective [Robin might want to chime in on that one], and who knows what
else has been changed between 2.24 and 2.26? The readme on Github isn't
super comprehensive https://github.com/abw/Template2)
2) Replace the single quote in the template with an encoded single quote
(not very elegant and possibly a bit annoying to maintain)
3) URI encode the data in the .pm or .pl (I rather not handle display
template logic in the actual Perl. Plus, cardnumber is passed opaquely to
the template via "$template->param(%$borrower);" at the moment)
4) Limit the data allowed as a cardnumber (this is probably the hardest
thing to do because a borrower can be created in a few different ways. which
might make reporting data validation errors more or less difficult.)
5) We could write our own Template Toolkit Filter class that escapes the
most comprehensively
What does the Koha brain trust think?
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St, Ultimo, NSW 2007
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20150623/740a66d4/attachment-0001.html>
More information about the Koha-devel
mailing list