[Koha-devel] Escape all the TT variables! (aka prevent XSS vulnerabilities)
Jonathan Druart
jonathan.druart at bugs.koha-community.org
Fri Oct 26 19:29:12 CEST 2018
Hi devs,
This needs an update.
Bug 13618 has been pushed to master.
Now you will have to escape all the variables template-side.
See the wiki page to understand why and how -
https://wiki.koha-community.org/wiki/Coding_Guidelines#HTML9:_filter_all_the_variables
There is a test in the QA script (missing_filter) as well as a test in the
codebase to catch missing filters (xt/find-missing-filters.t)
To make things easier you can use the misc script (misc/devel/
add_missing_filters.pl) to automatically add the missing filters!
Cheers,
Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20181026/df6172f0/attachment.html>
More information about the Koha-devel
mailing list