Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
I made a silly mistake on the original patch and made the options
untranslatable. This follow-up restores their translatability.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
In addition to the work in bug 8207 that enables auth_finder use, it
would be very useful when creating authorities to have the auth_finder
plugin automatically fill out the relationship information in $w (in
MARC21).
To test (note that you must either apply the patch for bug 8207 or
manually add a thesaurus to a 5xx linking field in one of the authority
type frameworks):
1. Create a new authority record.
2. Go to the 5xx tab.
3. Click the authority control plugin ellipsis.
4. Do a search for an authority.
5. Select a relationship type.
6. Note that after you choose an authority, that the $w control field
is automatically populated with the relationship type.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
After applying patch for bug 8207, I had been able to follow the test plan step
by step, and get the expected result.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Rebased on master 1 August 2012
