Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds a DataTables-generated print button to the OPAC cart. To
make that process easier, the DataTables plugin has been upgraded to the
latest version (1.10.18) with the Buttons plugin included.
Changes to the OPAC LESS file style the DataTables button to look like
the static version.
Other templates in the OPAC which use the DataTables plugin have been
modified to use up-to-date option names.
To test, apply the patch and add several titles to the cart.
- Open the cart
- Re-sort the cart using something other than the default sort
- Click the 'Print' button.
- A print view should open in a separate window, sorted correctly,
and automatically show the print dialog.
- Click the cart's 'More details' button and click the print button.
- This should trigger the print dialog directly.
- Test DataTables sorting on other modified pages:
- Bibliographic detail page (holdings table)
- Course reserves (table of courses)
- Course details (table of titles)
- Full subscription history
- Detail page for a subscription -> More details -> Full history
- Most popular
- Purchase suggestions
- Self checkouts
- Tag cloud
- Your fines
- Your interlibrary loan requests
- Your reading history
- Your search history
- Your search IDREF for ppn (I don't know how to test this)
The DataTables plugin is removed from "Your routing lists" and Self
check-in because it is unused.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch is a reimplementation of the original from Indranil Das Gupta
and the QA follow-up from Julian Maurice. Original test plan:
Conformance rules for HTML5 is generating warnings for <script> element
with type="text/javascript" attribute when the OPAC page is checked
with W3C Validator. This patch removes the cause of these warnings.
Test plan
=========
1/ Paste the URL to your OPAC page (if it is hosted) to W3C Validator
and watch about 10+ warnings being generated by the validator.
2/ Apply patch and re-submit the page to the Validator. The warnings
would be gone.
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Conformance rules for HTML5 is generating warnings for <style> element
with type="text/css" attribute when the OPAC page is checked
with W3C Validator.
Test plan
=========
1/ Click the "Tag cloud" link on the OPAC. Paste the URL to your OPAC
page (if it is hosted) to W3C Validator and watch the warning about
type attribute "text/css".
2/ Apply patch and re-submit the page to the Validator. The warning
will be gone.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: maksim <maksim@inlibro.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The OPAC webservice IdRef display was broken.
The call returns results but citations where empty.
Maybe the webservice has changed.
This patch corrects the fetch of datas in result.
Also fixes a small HTML missing tag tr.
Also adds a comment with link to official doc :
http://documentation.abes.fr/aideidrefdeveloppeur/index.html#MicroWebBiblio
Test plan :
1) Enable system preference IdRef
2) Choose an existing PPN like 032581270
3) Look result on : https://www.idref.fr/services/biblio/032581270.json
4) Call in OPAC website : /cgi-bin/koha/opac-idref.pl?unimarc3=032581270
5) Without patch you see only one role containing empty rows
6) With patch you see all roles with correct rows
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: removed unused @unimarc3 (not to be confused with $unimarc3).
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch reverts the changes made at the OPAC from the following
patches:
Do not include the antiClickjack legacy browser trick for greybox"
Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
This reverts commit fc640d2a86.
Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
This reverts commit fb167c0e4b.
Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
This reverts commit dc03bca76c.
Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8 March 2008
Opera 10.5 March 2010
Safari 4 February 2009
Chrome 4.1.… somewhen 2010
Test plan:
Confirm that there are no regression of bug 15111 with modern browsers
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
If you click on a link that opens a new tab/window to another site, that tab
has access to the original window through JavaScript. The browsing context is
related, even if the domains are totally different.
The tab retains access to the original window's object via window.opener, even
if you navigate to another page or domain, in the new or original window.
Access to the Window object means the new window can use Window.location to
open a different URL in the original window, perfect for phishing attacks.
Depending on the site's Same-Origin Policy settings, the new window may have
access to other parts of the original window's DOM as well.
Any 'A HREF' that contains a target of of '_blank' or '_new' or a fixed name
is vulnerable. Previous security best practice often suggested creating a random
fixed name for an unpredictable namespace - that won't help with this problem!
Targets of '_self' and '_parent' are safe.
We do not use _new (at first glance) but several _blank. Some are used
to refer internal url, we do not need to update or remove them. Others
are used to satisfy OPACURLOpenInNewWindow, in these case, we should add
the rel="noreferrer" attribute to the a tags.
In other cases, we can simply remove them and let the users discover
that a mouse has more than one button (we are in 2016, they can do it!)
Signed-off-by: Chris <chrisc@catalyst.net.nz>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Most of the scripts called via greybox (which uses iframe) don't include
doc-head-close. But some do.
This patch adds a popup parameter for these templates, not to include
the legacy browser trick and avoid the replacement of the location.
Test plan:
1/ Export patroncard and label
2/ translate itemtypes
3/ click on a idref link at the OPAC
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
On the detail page (in the opac), if the biblio comes from the Sudoc,
you must have a link (on the right of the author link) which open a popup with
informations about this author (publications by role).
To test:
1/ Switch on the Idref system preference
2/ Simulate a SUDOC record:
Fill a 7..$3 field with a ppn (032581270 for example).
Fill the 009 field with an integer
3/ Go to the opac detail page of this notice.
You should see the IDREF link.
If you click on it, a popup displays a loading icon and after a few
seconds (depending of the productivity of the authority :)), a list of
roles. For each role, a table displays all his corresponding publications.
4/ On the right, you have 2 links: 1 for a koha search for this result
and 1 for a SUDOC link
Signed-off-by: valerie bertrand <valerie.bertrand@univ-lyon3.fr>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
