Commit graph

6 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Julian Maurice
200a468a9c Bug 12395: Add FK constraint and use patron-title.inc
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-06 14:01:51 +00:00
Katrin Fischer
8e58b03966 Bug 12395: (QA follow-up) Change wording for consistency and fix use CGI;
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-06 14:01:50 +00:00
4967a3150a Bug 12395: Use standard <fieldset> + <ol> markup for showorder.tt
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-06 14:01:50 +00:00
Katrin Fischer
6403070e63 Bug 12395: (QA follow-up) Add class/id to body tag
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-06 14:01:50 +00:00
Julian Maurice
9487049640 Bug 12395: Save order line's creator
New MySQL column: aqorders.createdby

Creator's name is displayed on order's receive pages (acqui/orderreceive.pl
and acqui/parcel.pl)

On acqui/orderreceive.pl it replace the name of basket's creator
On acqui/parcel.pl, to avoid adding more data in the table of pending
orders, it is shown in a popup like MARC and Card views

Test plan:
1/ Run updatedatabase.pl
2/ Create a new order and go to the receipt page (acqui/parcel.pl)
3/ Click on "Order" link in column "More" (previously "View record")
4/ A javascript popup should appear with your name in it. Close the
popup.
5/ Click on "Receive" link
6/ Your name should appear in front of "Created by" label, to the right
of the page.

Patch updated with use of atomic update.

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-06 14:01:47 +00:00