Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
TEST PLAN
---------
1) Install first two patches
2) do not install, or uninstall Template::Plugin::Stash
3) Upgrade to make sure system preference is added.
4) Set the system preference to turn it on for Staff and OPAC
5) Refresh staff -- kaboom
6) Load OPAC -- kaboom
7) Apply this patch
8) Reload staff and OPAC
-- nice HTML comment about what is wrong.
9) run koha qa test tools.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Neat, runs well. Tested with/without sysprefs and Template::Plugin::Stash
No koha-qa errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
It would be incredibly helpful if we could easily enable Koha to dump
all Template Toolkit variables to a comment for debugging purposes.
Test Plan:
1) Apply this patch
2) Run updatedatabase
3) Enable the new system preferences DumpTemplateVarsIntranet and
DumpTemplateVarsOpac
4) Load a page in the staff intranet, view the html source
5) Note the template toolkit variables are embedded in an html comment
6) Load a page in the opac, view the html source
7) Note the template toolkit variable are embedded in an html comment
NOTE: I had to cpan2deb Template::Plugin::Stash to test.
This is not optimal. Additionally:
http://www.template-toolkit.org/docs/modules/Template/Plugin/index.html
does not contain Stash. I suspect this was how it was
introduced initially by TT.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
This patch adds the name of the .tt file as a HTML comment to OPAC and Staff client pages.
To test:
Apply patch
Open pages in OPAC and Staff client.
Make sure that a comment similar to the following appears in the source code:
<!-- TEMPLATE FILE: intranet-main.tt -->
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch replaces the XHTML DOCTYPE with an HTML5 one. The HTML5
validator seems to be significantly different than the XHTML one,
so I'm seeing lots of new errors. This patch includes corrections
for one: Deprecation of the "language" attribute of <script>
tags.
To test, view pages in the OPAC and staff client. They should
appear as normal. Numerous validation follow-ups will be required,
but I suggest these be handled incrementally.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
test on some intranet pages and I found no regression. (chromium and
firefox).
The w3c page about the doctype: http://www.w3.org/TR/html5-diff/#doctype
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
In the transition to Template::Toolkit a part of the DOCTYPE includes
got its case switched, making it invalid: XHTML was changed to Xhtml
Correcting the case quiets errors in the validator.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
previously, it wasn't possible to insert anything into the <head> on
an individual template unless it was the title of the page. Now, the
structure is a bit more flexible to allow additional head elements to
be included.
