Resolves the following comments:
I'd prefer to see a generate_csrf method than a CSRF flag.
It'd be better to use instead of require the 2 modules.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Move calls to WWW::CSRF to Koha::Token.
Send a safe random string to WWW::CSRF instead of letting CSRF make a
blocking call to Bytes::Random::Secure. If your server has not enough
entropy, opac-memberentry will hang waiting for more characters in
dev/random. Koha::Token uses Bytes::Random::Secure with the NonBlocking
flag.
Test plan:
[1] Do not yet apply this patch.
[2] If your server has not enough entropy, calling opac-memberentry may
take a while. But this not may be the case for you (no worries).
[3] Apply this patch.
[4] Verify that opac-memberentry still works as expected.
[5] Run t/Token.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Yes, my server had entropy trouble (reason for finding the problem).
This patch resolves the delay.
Tested all 3 patches together, works as expected.
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If an attacker can get an authenticated Koha user to visit their page
with the url below, they can change patrons' passwords or other
patrons'details
members/memberentry.pl?op=save&destination=circ&borrowernumber=3435&password=ZZZ&password2=ZZZ&nodouble=1
Test plan:
Trigger
members/memberentry.pl?op=save&destination=circ&borrowernumber=42&password=ZZZ&password2=ZZZ&nodouble=1
=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: removed the commented use Digest::MD5-line.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This was set to a version that is not available in Wheezy or Jessie.
The version is not required, the only change to 1.42 (packaged for
Wheezy and Jessie) is a fix for Windows, see
http://cpansearch.perl.org/src/PETDANCE/Test-WWW-Mechanize-1.44/Changes
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The more correct solution is fix that template file.
However, in the mean time, this works.
TEST PLAN
---------
1) find a record
2) edit record
3) click value builder for 007
4) change everything to pipes as much as possible.
(use Motion Picture to get all 00-22 values)
5) save
-- should save just fine.
6) click the value builder again
-- OOPS! Bad reload.
7) prove t/db_dependent/FrameworkPlugin.t
-- NOISY 007 messages.
8) apply patch
9) click the value builder again
-- good reload
10) prove t/db_dependent/FrameworkPlugin.t
-- No noise related to 007.
11) run koha qa test tools.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Search for something like:
\";alert(1)//135
=> Without this patch you will see the alert
=> With this patch, no more alert
Note that this fix the parameters idx, q and op
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Enter the following in the "Check out" tab:
"><script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Enter the following in the barcode input:
<script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
Hit
/serials/serials-search.pl?ISSN_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
/serials/serials-search.pl?title_filter="%2F><script>alert('XSS')<%2Fscript>&searched=1
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Hit
/cgi-bin/koha/catalogue/detail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
/cgi-bin/koha/catalogue/ISBDdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
/cgi-bin/koha/catalogue/MARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
/cgi-bin/koha/catalogue/moredetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
/cgi-bin/koha/catalogue/labeledMARCdetail.pl?biblionumber=1<script type="text/javascript">alert("XSS")</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Adds a note about missing support for NORMARC (only supports
MARC21 and UNIMARC) to the system preference text.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Playing with OPACResultsLibrary syspref, biblio with items having different
home/holding library are displayed properly.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
When you search in the OPAC it shows you the HOME branch on the location
in XSLT, but if you click through to the detail page it shows you the
CURRENT BRANCH in the holdings table which is very confusing to patrons.
I don't know what's the right solution - home or holding branch, but they
should be the same in both places for the patron's sake. If you do the same
search in the staff client you see the right branch info on the search results
and on the detail page.
Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Search the catalog, you search should include results with items
that have different home and holding libraries.
4) The results should look the same as before the patch
5) Change the system preference OPACResultsLibrary to "current location"
6) Refresh your page of search results
7) The results show now show the holding library instead of the home library
Signed-off-by: Barbara Walters <bwalters@ncrl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Creating a new patron category raises an error "An error occurred when updating
this patron category. Perhaps it already exists."
DBIx::Class does not default to the value defined at the DB devel if the
key checkprevcheckout has been passed to the constructor.
We may need to provide a global fix for this kind of issue: if a column
is defined as "not null" but has a default value, the constructor
(Koha::Object->new) should not pass it to the DBIx::Class constructor
(even if assuming that null means default is a terrible mysqlism).
Test plan:
Create a new patron category.
Works as expected.
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Removes commented line from bib1.att.
Adjust OCLC-number to Other-control-number in comment of ccl properties.
No need to explicitly add 035$a and $z if you index 035 completely in
record.abs as well as biblio-koha-indexdefs.xml.
Rerun koha-indexdefs-to-zebra.xsl on index defs.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
1) Apply patch
2) Make sure that you have a bib that has MARC21 035$a (and possibly also 035$z) populated.
pre 3) Replace all modified zebra files and restart zebra server
3) Rebuild zebra: misc/migration_tools/rebuild_zebra.pl -x -b -z
4) Add the following to the intranetuserjs syspref:
$(document).ready(function(){
// Add Other Control Number to advanced search
if (window.location.href.indexOf("catalogue/search.pl") > -1) {
$(".advsearch").append('<option value="Other-control-number">Other Control Number</option>');
}
});
5) Do an advanced search, select "Other Control Number" from the search menu, then add the Other Control Number in 035$a for the bib specified in step 1.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Works, no koha-qa errors
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Changing the package maintainer and removing a whitespace in debian/control.in.
Regenerated debian/control from that, which also adds libhtml-parser-perl because of bug 16971.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This has not been updated for a while. I plan to add the stable
releases.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This makes debian/list-deps ready for Debian Jessie
and adds small fixes I already use for package releases.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch is the starting point for making the REST api available
on Plack.
What it does:
- It creates the /api/v1/app.pl mount point in plack.psgi
- It enables the ProxyPass and ProxyPassReverse directives so it
is reached through Plack.
- It sets rewrite rules so we can use the 'pretty' urls (i.e.
/api/v1/patrons instead of /api/v1/app.pl/api/v1/patrons).
To test:
- Grab the following files, and put them in /etc/koha (overwrite the existing ones)
debian/templates/apache-shared-intranet-plack.conf
debian/templates/apache-shared-opac-plack.conf
- Tweak your /etc/koha/sites/kohadev/plack.psgi file so the API-related stuff
is present on your file.
- Make sure Plack is enabled for the instance:
$ sudo koha-plack --enable kohadev
$ sudo koha-plack --restart kohadev
$ sudo service apache2 restart
- Follow the previous patch test plan, but use this URLs (no pretty URL):
http://localhost:8080/api/v1/app.pl/api/v1/patrons/50http://localhost:8081/api/v1/app.pl/api/v1/patrons/50
=> SUCCESS: You get a JSON response from the API [1]
- Not use this URLs:
http://localhost:8080/api/v1/patrons/50http://localhost:8081/api/v1/patrons/50
=> SUCCESS: You get a JSON response from the API [1]
- Sign off :-D
[1] this patch made a bug visible (the session is lost when accessing the API through
Plack) but it shouldn't prevent its inclusion because the API right now is not even available
as default for developers to test or fix it.
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch enables access to the REST API endpoint on packages setup.
It does so, by patching the shared apache-shared-intranet.conf and
apache-shared-opac.conf.
You can build your own master packages with this patch applied, or just:
- Grab
debian/templates/apache-shared-intranet.conf
debian/templates/apache-shared-opac.conf
and overwrite their counterparts in /etc/koha on a packages setup. For example
in kohadevbox.
- Have Koha loaded with all default data
- Create a superlibrarian user for you
- Login to the intranet and the OPAC
- Point your browser to:
http://localhost:8080/api/v1/patrons/51
=> SUCCESS: You get JSON data, for the patron you requested
http://localhost:8081/api/v1/patrons/51
=> SUCCESS: You get JSON data, for the patron you requested
- Sign off :-D
Note: I use the HTTPRequester addon for Firefox, re-using the CGISESSID value from the
browser session cookie, in the headers.
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
C4/Auth_cas_servers.yaml.orig gets cleaned away after every package build because
of the .orig extension. This patch moves it.
It is only a sample file, there is no functionality to test. Just verify that the
file is there with the new name after you applied the patch.
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This .sql~ backup file should not have been committed.
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This adds a basetgz parameter to specify a pbuilder image.
I use this to build against different distributions.
This also updates the version number for master builds to 16.06.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
empty HTML list item on 'holds' page, to test:
- sign in as user
- attempt to place hold
- view source in between 'holds note' textarea & <!-- ITEM HOLDS --> comment
- note empty <li>
- apply patch
- repeat process above up until patch
- no more empty <li>
Signed-off-by: Jason Robb <jrobb@sekls.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
With this patch all sample/defintions .sql files are updated and translated into Italian
(if you select italian during web installation).
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
TEST PLAN
---------
1) unset KOHA_CONF
2) prove t
-- 00-load.t dies miserably
3) prove t/Creators.t
-- fails
4) apply patch
5) prove t
-- noisy, but all tests successful
6) prove -v t/Creators.t
-- 2 skipped tests
7) run koha qa test tools
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Swagger definition for patron was missing two properties.
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Swagger definition for hold was missing a property.
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
The original Makefile.PL tweak missed to trim the directory name thus
repeating the 'api' directory like in 'api/api'.
To test:
- Make a standard install (for example in /usr/share/koha
=> FAIL: check /usr/share/koha/api/api exists
- Make a single install (for example in /home/tcohen/koha-single)
=> FAIL: check /home/tcohen/koha-single/api/api exists
- Apply the patch
- Make a standard install (for example in /usr/share/koha
=> SUCCESS: check /usr/share/koha/api exists and doesn't contain a nested 'api' dir
- Make a single install (for example in /home/tcohen/koha-single)
=> SUCCESS: check /home/tcohen/koha-single/api exists and doesn't contain a nested 'api' dir
- Sign off :-D
Note: this affects the packages too, as the standard install is used as a basis.
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This patch clarifies the note on the upload tool
that states that no categories are defined.
To test:
* Log in to Koha
* Confirm that you have no values set for the UPLOAD
authorized value category
* Visit Tools > Upload
* Check the warning note for typos
* Add a authorized value category for UPLOAD
* Visit Tools > Upload
* Confirm that note is replaced
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This patch propose to fix this two entries in PO files:
"See highlighted items" and "below"
Also add some Font Awesome Icons
To test:
-Apply patch 16810 on top and this patch
-Go to a patron who has overdues
-See the link "See highlighted items below" with a hand down icon
-Look the new plus icon to "Add a new message" to the patron.
-Add a few messages and notice about the trash icon in "Delete" links
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
prove t/db_dependent/ILSDI_Services.t
generates noisy output as a result of the ambiguous context
of two $cgi->param() calls.
By storing into scalar variables, and then using the scalar
variables, the code maintains readability and fixes the problem.
TEST PLAN
---------
1) prove t/db_dependent/ILSDI_Services.t
-- noisy.
2) apply patch
3) prove t/db_dependent/ILSDI_Services.t
-- not noisy
4) run koha qa test tools
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
When the auth_header table has records which exclude 1xx and
2xx tags, the $bibfield doesn't match anything. This in turn
sets it to undef, which triggers an error on the next line
killing the test.
This was completely refactored to provide the data necessary
for the tests to pass, and to be more comprehensive (both MARC
and UNIMARC are tested). The tests are then run.
C4::Headings::authorities is mocked, so that this test is not
dependent on a search engine.
TEST PLAN
---------
1) back up DB
2) DELETE FROM auth_header;
3) SOURCE auth_header.sql;
-- the provided file
4) prove t/db_dependent/Linker_FirstMatch.t
-- should barf before running all the tests
5) apply all patches
6) prove t/db_dependent/Linker_FirstMatch.t
-- should work happy
7) run koha qa test tools
8) restore your backup
Followed test plan, behaves as expected.
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
In koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt,
fix line splitted TT directives and sentence splitting leading
to translatability problems. (See first comment).
To test:
- Apply patch
- Go to detail pages of biblios with waiting holds
- Verify that messages in column 'Status' are OK
- Examine code in patch to make sure that the simplification in logic
makes sense and that no TT directive is splitted
- Bonus test:
- Go to folder misc/translator. Run perl translate create xx-XX
- Verify that monster mentioned in first comment no longer exists
(in po/xx-XX-staff-prog.po)
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Amended for wording (comment #5) 2016-07-26 mv
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This module is already used in opac-password-recovery.pl.
It is loaded in Acquisition, but not used (anymore?).
It is not yet listed in PerlDependencies.
Note: The module is packaged for Debian Wheezy and Jessie.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
0) Have either CAS or Shibboleth authentication enabled under Plack.
1) Hover over the authentication link on the staff client or OPAC, and
notice that it has either '.../opac/...' or '.../intranet/...' instead
of '.../cgi-bin/koha/...'. (This will be a complete dealbreaker for CAS
authentication.)
2) Apply patch.
3) Check links again; they should now have the correct paths.
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Did not test CAS or Shibboleth, but no regression found.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This patch just does that, and removes it from the comment on /etc/default/koha-common
To test:
- Apply the patch
- Run:
$ vagrant ssh ; cd kohaclone
$ sudo debian/scripts/koha-indexer --stop kohadev
$ sudo debian/scripts/koha-indexer --start kohadev
=> SUCCESS: Verify no warning is shown on the indexer-output.log file
- Sign off
https://bugs.koha-community.org/show_bug.cgi?id=16830
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
To Test
1/ Try using a plugin
2/ Apply patch
3/ Test plugin still works
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
The vars are gotten from the url and sent to the template as it. They
must be escaped.
Test plan:
I have not managed to create the original issue, so there is no test
plan for the XSS fix, but you can confirm there is no regression.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
iUnless AutoResumeSuspendedHolds is enabled, attempting to suspend a
hold from reserve/request.pl results in the following error:
The given date (undefined) does not match the date format (us) at
/home/vagrant/kohaclone/Koha/DateUtils.pm line 152.
Test Plan:
1) Enable SuspendHoldsIntranet
2) Disable AutoResumeSuspendedHolds
3) Attempt to suspend or unsuspend a hold
4) Note the error
5) Apply this patch
6) Repeat step 3
7) The hold should suspend or resume correctly
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Megan Wianecki <mwianecki@mtpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
Enter the following in the barcode input:
<script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
Enter the following in the different inputs:
<script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
Enter the following in the different inputs:
<script>alert('XSS')</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
Hit /tools/viewlog.pl?do_it=1&modules=CATALOGUING&action=MODIFY&object=<script>alert("XSS")</script>
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
Hit:
/serials/checkexpiration.pl?title="><script>alert("XSS")</script>&date=12/02/2002
/serials/checkexpiration.pl?issn="><script>alert("XSS")</script>&date=12/02/2002
=> Without this patch you will see the alert
=> With this patch, no more alert
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
