Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Translation for koha-tmpl/intranet-tmpl/prog/en/includes/patroncards-errors.inc
contains a lot of (partial) template directives like:
%%]%s %sLayout: [%%
This patch fixes it
To test:
- Verify that code changes make sense
- Apply patch
- Create a translation (cd misc/translator , then: perl translate create aa-AA
- Verify that in po/aa-AA-staff-prog.po contains no fragments like %%] or [%%
for patroncards-errors.inc
- Try to get an error: Try a link like
http://[YOUR SERVER]/cgi-bin/koha/patroncards/create-pdf.pl?batch_id=1&template_id=999&layout_id=999&start_card=1
...where template_id and layout_id do not exist
(Amended for comment #2 2017-06-05 mv)
(Amended for comment #6 2017-08-02 mv)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a check for duplicates before uploading the image.
To test:
1) Go to Tools -> Patron card creator -> Manage images
2) If you haven't already, upload an image
3) Try to upload another image with the same image name
4) Notice the first image is replaced with the second image, with no
warning.
5) Apply patch and refresh page
6) Try to upload an image with the same image name again
7) Notice you are now warned about a duplicate image name.
8) Check that uploading an image with a unique name still works.
Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
1) Go to Tools -> Patron Card Creator -> New Image
2) Click Upload without attaching anything
3) Notice typo
4) Apply patch and refresh page (resend information if prompted)
5) Notice typo fixed
Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Change patroncards/create-pdf.pl to redirect with an error message
instead of writing an invalid pdf that does not open in pdf viewer.
To test:
- Apply patch
- Test that pdf creator behaves as before (with valid batches and
patron lists)
- While testing, copy pdf link address from window with title 'Click
the following link(s) to download...'
- Open another staff client browser tab
- Paste link to browser address field, change batch id rsp. patron
list id to an invalid value and submit
- The window should redirect to cgi-bin/koha/patroncards/create-pdf.pl
and display an error message
- Bonus test 1: Create an empty patron list and test patron card
creation. You should get an error message as appropriate.
- Bonus test 2: Use a link with params like the following:
...create-pdf.pl?borrower_number=61&template_id=2&layout_id=1&start_card=1
Verify that you can create a pdf with a valid borrower_number and that
you get the error message with an invalid borrower number
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(Apparently) unlike HTML::Template::Pro, Template Toolkit doesn't like
template variables that are entirely numeric -- in conditionals, it
consider them integers, most of which are Perl true.
This patch changes this by setting the error variable to the error
value.
To test:
[1] Run the test plan from the previous patch. In each
case, verify that the error message is specifically applicable
to the test. For example, if you try uplaoading a patron image
that is larger than 500KB, the error message displayed should
specifically say so.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Thank you Galen for catching this. Error messages showing up
now are much more specific and according to the error codes given.
I testd uploading a file larger then 500KB and triggered several
error messages giving the error code in the URL:
/cgi-bin/koha/patroncards/manage.pl?card_element=profile&error=201
All tests and QA script pass.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
The patron card creator error message include uses a non-standard method
for displaying error messages, and is poorly-named.
This patch converts the method of displaying error messages for various
patron card creator options to the standard one ('<div class="dialog
alert">') and renames the include file to make it clear that it relates
only to patron card creator operations.
To test, perform various operations:
- Go to 'manage images' and try to upload a file which exceeds the
500KBfile size limit
- Go to the edit batch page and manually append an error code to the
URL: /cgi-bin/koha/patroncards/edit-batch.pl?op=new&error=403
- Go to one of the manage pages and manually append an error code to the
URL:
/cgi-bin/koha/patroncards/manage.pl?card_element=profile&error=201
Correct display of an error message indicates that the include file is
being found.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes test plan, test suite and QA script.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>