We will have to make sure this filter (HtmlTags) is not used with
unsafe variables.
Generated by:
perl -p -i -e 's/HtmlTags tag([^\|]*)\| html -%]/HtmlTags tag\1-%]/g' **/*.tt **/*.inc
perl -p -i -e 's/HtmlTags tag([^\|]*)\| html %]/HtmlTags tag\1%]/g' **/*.tt **/*.inc
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Remove
[% BLOCK txt_continue %]Continue to the next step[% END %]
...and restore original text
See comment #19 and comment #20
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The new web installer for 17.05 has a great new design - but it has a lot of
translatability issues. Some strings are not picked for translations,
some expose the content of tt directives, and others are splitted by
html tags, resulting in small text fragments that are not easy to translate.
This patch weeds out such translation problems for step1.tt, step2.tt and
step3.tt
To test:
- Apply patch (on top of Bug 18665 because of html tags inside of
tt directives in step2.tt)
- Prepare a fresh install (drop database, create database)
- Walk through the installation process and verify that it works as before
- Verify that string changes (in English) make sense
- Create a translation( cd misc/translator, then perl translate create aa-AA)
then: vim po/aa-AA-staff-prog.po and search for: /installer\/step
Verify that strings for step1.tt, step2.tt, step3.tt are not fragmented,
do not contain [%%, and are easily translatable (make sense without having
to search in source files for context).
(Amended to remove some superfluous chomps 2017-06-27 mv)
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch makes style and markup changes to the web installer and new
onboarding tool (Bug 17855).
- Markup has been corrected, improved, and in many places reindented.
- Some page titles have been made more specific.
- Some JavaScript and CSS have been moved to separate files.
In the onboarding tool I have removed form validation from the markup
and JavaScript in many cases where the requirements were not matched
elsewhere in Koha. For instance, we shouldn't limit item type
descriptions to only letters because the database doesn't require such a
limit.
To test, apply the patch and run the web installer with an empty
database. Confirm that the installation process completes correctly and
that each page looks good and works correctly.
Works as advertised
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch changes the installer template for step 2 (DB rights check)
so it correctly displays MySQL-related message.
The previous code was doing the wrong comparisson, thus yielding
PostgreSQL documentation.
To test:
- Run:
$ sudo koha-mysql kohadev
> DROP DATABASE koha_kohadev ; CREATE DATABASE koha_kohadev;
> REVOKE INSERT ON koha_kohadev.* FROM 'koha_kohadev'@'localhost';
> FLUSH PRIVILEGES; \q
- Run the webinstaller through step 2
=> FAIL: You get the message in the attached screenshot
- Apply the patch, reload
=> SUCCESS: You are displayed a different warning message, with a link
to up-to-date MySQL docs on GRANT
- Fix permissions for the user:
$ sudo koha-mysql kohadev
> GRANT ALL PRIVILEGES on koha_kohadev.* TO 'koha_kohadev'@'localhost';
> FLUSH PRIVILEGES; \q
- Reload
=> SUCCESS: All checks are correct and you can move on
- Sign off :-D
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch corrects serveral more places in the templates where the path
to the prog theme is hard-coded. To test, apply the patch and view the
following cases:
- When a database update is triggered the login page loads login.css.
This path should be correct. (Reference to wizard.css is removed as
per Bug 10422).
- The course reserves home page should load datatables-related assets
correctly.
- Help pages for the Quick spine label creator and the staff client home
page should show the correct paths where they reference the Koha file
system.
- The web installer pages should correctly load the Koha logo.
- The label creator "manage" pages (layouts, templates, etc.) should
correctly load datatables-related assets.
Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Checked all 5 - look good.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
