Commit graph

7 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
a8942c2884 Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues
Revert "DBRev to make notes of the XSS patches and the new important dependency."

This reverts commit e140603a59.

Revert "Bug 13618: Specific for branches.opac_info"

This reverts commit 06e4a50f00.

Revert "Bug 13618: (follow-up) Specific for other prefs"

This reverts commit d6475a111f.

Revert "Bug 13618: Fix for debarredcomment and patron messages"

This reverts commit dd98c9df92.

Revert "Bug 13618: Do not display html tags in patron's notices"

This reverts commit a065b243fe.

Revert "Bug 13618: Do not display &nbsp; and html tags in item fields content"

This reverts commit baeeaffbf8.

Revert "Bug 13618: Fix for system preference description"

This reverts commit a967a09261.

Revert "Bug 13618: Remove html filters for newly pushed code"

This reverts commit 0e98662b10.

Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"

This reverts commit fc2fb605e5.

Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"

This reverts commit bc308fdd9c.

Revert "Bug 13618: Fix for edit biblios and items"

This reverts commit 811c4e8402.

Revert "Bug 13618: followup to remove tabs"

This reverts commit ca8e8c397c.

Revert "Bug 13618: Fix last occurrences recently introduced to master"

This reverts commit bb417b256b.

Revert "Bug 13618: Fix for news"

This reverts commit ae5b98020a.

Revert "Bug 13618: Fix escape on sending baskets or shelves by email"

This reverts commit a7731ffe25.

Revert "Bug 13618: Specific for XSLTBloc"

This reverts commit 11fa38dc29.

Revert "Bug 13618: Specific for Salutation on editing a patron"

This reverts commit 36c07ad6d3.

Revert "Bug 13618: Specific for other prefs"

This reverts commit e6ea281a3b.

Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"

This reverts commit 7824874557.

Revert "Bug 13618: Specific for ColumnsSettings"

This reverts commit 1834da3da3.

Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"

This reverts commit 21ae62b253.

Revert "Bug 13618: Fix error 'Not a GLOB reference'"

This reverts commit 602bdbab4c.

Revert "Bug 13618: Specific for the ISBD view"

This reverts commit d254362435.

Revert "Bug 13618: Specific for pagination_bar"

This reverts commit 8837a8ae68.

Revert "Bug 13618: Specific places where we don't need to escape variables - intra"

This reverts commit 00eff140b3.

Revert "Bug 13618: Remove html filters at the intranet"

This reverts commit 7db851ff03.

Revert "Bug 13618: Specific places where we don't need to escape variables"

This reverts commit 49a3738b8d.

Revert "Bug 13618: Remove html filters at the OPAC"

This reverts commit cedaa0e23e.

Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"

This reverts commit 01b38d3b13.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-11 19:39:53 +00:00
811c4e8402 Bug 13618: Fix for edit biblios and items
On editing biblios or items, the marc_lib, marc_value and javascript
values are often populated with html code which needs to be displayed
raw.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-01-29 17:54:15 +00:00
Bernardo Gonzalez Kriegel
4e278782f1 Bug 12673: Remove CGI::scrolling_list from C4::Items.pm
This patch removes only instance in this file

To test:
1. Apply the patch
2. (Esay way) Put on staff URL
/cgi-bin/koha/services/itemrecorddisplay.pl?biblionumber=N&itemnumber=M
3. Code replaced corresponds to pulldowns, verify information
is correct (check with another item edit view)

PrepareItemrecordDisplay() in Items.pm is filled with chunks of
HTML code that must be put on TT file. For now scrolling_list
is the only removed.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested different item edit displays and the URL given above,
no regressions found. Also passes all tests and QA script.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-08-03 17:21:08 -03:00
5e1f8caf60 Bug 10475 - Item form in acquisition not hiding subfields properly
Subfields hidden in your ACQ framework leave a gap where they used to
be in the item entry form when adding an item to an order. This patch
makes the same change made by 7116 to services/itemrecorddisplay.tt to
correct the problem.

To test:

- Edit your ACQ framework and set some item subfields to hidden in the
  editor.
- Set your  AcqCreateItem system preference to "when placing an order."
- Add a title to an existing basket from an existing record.

The item entry form should display correctly with your hidden subfields
hidden. No whitespace should be left behind where the subfields were
hidden.

Also changed: Invalid "size" attributes on hidden form fields in
neworderempty.tt, stray </li>.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works nicely, passes all tests and QA script.
Thx Owen!

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-07-12 20:40:15 +00:00
Christophe Croullebois
67556a733a Bug 8637: Lack of control on mandatory in orderreveive.tt
Just add a check in Jscript when the form is submited, the same as in additem.tt
On Owen's suggestion I have added the red color and 'Required', the same as in additem.
On Jonathan's suggestion I have used the CSS class for red and italic and I have changed a variable's name (alertString2).
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Mandatory fields are now correctly checked on saving.

On other Jonathan's suggestion I have created a new class "missing" and I have added the background to staff-global.css.
The same for additem.tt.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Retested because of minor CSS change. Works nicely.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-08-31 13:48:52 +02:00
Julian Maurice
eefc774e27 Bug 7178: Acquisition item creation improvement
- Display a unique item block at once

On orderreceive.pl when AcqCreateItem is 'receiving', and on
neworderempty.pl when AcqCreateItem is 'ordering' it displays an
item block with item infos to fill, and a '+' button.
When user clicks on '+', the block is hidden and a list shows up with
the items that will be received. User can then edit or delete items in
the list and click 'Save' to receive items.

- PrepareItemrecordDisplay is now used for cloning block

Previous cloning function was duplicating ids, the side effect is that
plugins didn't work when several items were displayed.
PrepareItemrecordDisplay regenerate the form with new ids

- New system preference UniqueItemFields

Contains a space-separated list of sql column names (of items table).
This syspref is used in two ways:
 - Values corresponding to fields in syspref are not duplicated when
   adding a new item (button 'Add')
 - When saving the form, a check is made on fields in syspref for
   detecting duplicate (in DB and in the form)

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests done are noted on the bug report.

2012-03-23: Fixed conflict in updatedatabase.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-03-26 11:07:23 +02:00