This patch adds HTML comments to Template::Toolkit include files which
contain <script> tags so that it is clear where the embedded scripts can
be found in the code.
To test, apply the patch and view source on the following pages to
verify the presence of the comments:
Acquisitions home page:
- acquisitions-toolbar.inc
- validtor-strings.inc
- js_includes.inc
- format-price.inc
Acquisitions -> Add order from new record,
Acquisitions -> Receive order:
- additem.js.inc
Cataloging -> Add/Edit item:
- columns_settings.inc
- strings.inc
- select2.inc
- calendar.inc
- str/cataloging_additem.inc
Authorities home page:
- authorities_js.inc
Bibliographic detail page:
- catalog-strings.inc
Cataloging -> Advanced editor:
- cateditor-ui.inc
- cateditor-widgets-marc21.inc
Administration -> Item types:
- greybox.inc
ILL requests:
- ill-list-table-strings.inc
Web installer
- installer-intranet-bottom.inc
Web installer -> Onboarding
- installer-strings.inc
Lists -> List contents -> Merge records
- merge-record-strings.inc
Patrons -> Patron -> Change password
- password_check.inc
- str/members-menu.inc
Patrons -> Patron -> Print summary
- slip-print.inc
Circulation -> Check out
- timepicker.inc
Administration -> System preferences:
- str/tinymce_i18n.inc
- wysiwyg-systempreferences.inc
Cataloging -> Z39.50 Search:
- z3950_search.inc
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch removes the "type" attribute from <script> tags in several
staff client include files. Also removed: Obsolete "//<![CDATA[ //]]>"
markers.
This patch also makes minor indentation changes, so diff using the "-w"
flag.
To test, apply the patch and confirm that examples of affected pages
work properly without any JavaScript errors in the browser console:
- Installer -> Onboarding (uses installer-strings.inc,
validator-strings.inc)
- Patrons -> Patron details -> Change password (uses
password_check.inc)
- Patrons -> Patron details -> Print summary (slip-print.inc)
- Circulation -> Check out (strings.inc, timepicker.inc)
- Cataloging -> New from Z39.50/SRU (z3950_search.inc)
Validating the HTML source of any of these pages should return no errors
related to the "type" attribute.
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch makes style and markup changes to the web installer and new
onboarding tool (Bug 17855).
- Markup has been corrected, improved, and in many places reindented.
- Some page titles have been made more specific.
- Some JavaScript and CSS have been moved to separate files.
In the onboarding tool I have removed form validation from the markup
and JavaScript in many cases where the requirements were not matched
elsewhere in Koha. For instance, we shouldn't limit item type
descriptions to only letters because the database doesn't require such a
limit.
To test, apply the patch and run the web installer with an empty
database. Confirm that the installation process completes correctly and
that each page looks good and works correctly.
Works as advertised
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
