This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test plan;
Trigger /cgi-bin/koha/errors/404.pl
Confirm the typo without the patch and that it's fixed with this patch
applied.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch changes the 400, 401, 402, 403, 404, 500 error pages to be handled
by only one template for staff and only one template for OPAC.
Additionally it removes a translatability issues due to sentence splitings by html tags.
To test:
- Apply patch
- Trigger 404 error for staff and for OPAC by calling a page that does not exist
- Try to trigger other error pages and/or carefully review code changes
in the *.pl files
- Review koha-tmpl/opac-tmpl/bootstrap/en/modules/errors/errorpage.tt and
koha-tmpl/intranet-tmpl/prog/en/modules/errorpage.tt
(Amended to fix a typo)
(Amended for comment #6)
(Amended to cover OPAC error pages as well)
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
To test:
1) Go to cgi-bin/koha/errors/errornumber.pl to see the error messages which currently don't make sense (ie cgi-bin/koha/errors/401.pl etc). Have only made changes to 401, 403 and 404
2) Apply patch
3) Go to cgi-bin/koha/errors/401.pl --> Check that it now says "This error means that you aren't authorized to view this page." and "Please log in and try again.". Check that 'log in' redirects to the log in page (mainpage.pl).
4) Go to cgi-bin/koha/errors/403.pl --> Check that it now says "This error means that you are forbidden to view this page."
5) Go to cgi-bin/koha/errors/404.pl --> This page should be very different. Check that the 'Error 404' is now in italics and not bold. Check that the page gives a list of reasons the user may have been given this error and some options for their next step.
Signed-off-by: Catherine <cnorthcott.work@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amended patch: replace tab with 4 spaces.
Note: I am not sure the em tag is useful here.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
The error page (400, 401, 402, 403, 404, 405 and 500) displays parts the old
staff client main page.
The user can easily browses using navigation links.
Test plan:
Go on the 400.pl, 401.pl, 402.pl, 403.pl, 404.pl, 405.pl and 500.pl
pages, and confirm all is fine and you don't get the old style blocks.
Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
http://bugs.koha-community.org/show_bug.cgi?id=10258
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
With this patch, I don't see any other place where the old sysprefs editors
(systemprefences.pl) is used anymore.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
* prior to this commit, virtual shelvesn't did not function in
the OPAC! Now they do, except for deletion from virtual shelves
in list form
* I've re-named 'Virtual Shelves' to 'Lists' as per our agreed
upon convention
* while vshelves aren't perfect yet, they're in enough of a working
state for the RC1 now
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
tmpl_process3.pl still throws some multi-byte warnings
but no markup errors
There are still quite a few places we could normalize
to reduce the size of the translation file
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
