Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
There are many patron-related templates which still use event attributes
to define events. This patch updates these templates so that events are
defined in JavaScript.
To test apply the patch and check out to a patron.
- From the Print menu in the toolbar, choose "Print summary." The patron
summary page should open and the print dialog should be automatically
triggered.
- From the Print menu in the toolbar, choose "Print slip." The patron
slip page should open and the print dialog should be automatically
triggered.
- From the Print menu in the toolbar, choose "Print quick slip." The
patron quick slip page should open and the print dialog should be
automatically triggered.
- Click the patron's "Fines" tab in the left-hand sidebar and then
choose the "Account" tab.
-- Click the "Print" button for an account payment (the link should
point to printfeercpt.pl). A print receipt page should open and
the print dialog should be automatically triggered.
-- Follow the same procedure for a transaction which is not an account
payment (the link should point to printinvoice.pl).
- Click the "Create manual invoice" tab.
-- Select one of the "type" choices. Doing so should automatically
populate the "Description" field with the corresponding code.
-- If necessary, define one or more values for the MANUAL_INV
authorized value and confirm that those invoice types work as well.
- From the patron's "Pay fines" tab, click the "Pay amount" button. In
the "collect from patron" field, enter any combination of letters,
numbers, and symbols. When you tab away from that field your text
should be reformatted to currency format.
- From the patrons home page, change the filter in the left-hand sidebar
and submit it. The correct results should be returned.
Signed-off-by: EricGosselin <eric.gosselin.5@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Currently, slips cannot be printed in circulation, members, or the
self check out when using Chrome.
This patch adds a timer of 1ms which allows Chrome's custom code to
prevent "window.close" occuring before the user has dealt with the
print window.
This patch also allows admins to use the 'IntranetSlipPrinterJS'
system preference to override the slip printing code by centralizing
all the slip printing code in slip-print.inc, and including this JS
anywhere it's needed in the staff client.
I haven't used this include in the OPAC SCO but perhaps it would make
sense to do so as well (even if it isn't referred to in the syspref's
name).
_TEST PLAN_
1) Using Chrome on Windows (not sure if this is an issue on other OSes),
try to print a slip in the following locations:
Fines Tab -> Print button
koha-tmpl/intranet-tmpl/prog/en/modules/members/printfeercpt.tt:
Details tab -> Print button -> Print slip || Print quick slip
koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember-receipt.tt:
Details tab -> Print button -> Print summary
koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember-print.tt:
Fines tab -> Accounts tab -> Print (Manual invoice of $5 sundry)
koha-tmpl/intranet-tmpl/prog/en/modules/members/printinvoice.tt:
Checkout tab -> Print button
koha-tmpl/intranet-tmpl/prog/en/modules/circ/printslip.tt:
Finish button
koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/printslip.tt
2) Note that each time you try to print, a new print page is created
but closed before you have a chance to print.
3) Apply the patch
4) Repeat Step 1
5) Note that the print page now doesn't close until after you've
chosen to print or cancel.
Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>