Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test plan:
1. Drop and recreate your database
2. Restart memcached
3. Go through the web installer
4. In the onboarding tool create a patron with a password of only 2 characters in length
5. Notice the patron is successfully created and no warning message is
displayed
6. Repeat step 1,2,3 and create a patron with a password of 3 characters
none of which are a uppercase letter or number and notice the patron is
successfully created and no warning message is displayed
7. Apply patch
8. Repeat steps 1,2,3 and create a patron with a password consisting of
2 characters, notice that after submitting the form the same form is
loaded again and there is a warning message at the top of the page
informing you the patron wasn't created
9. Repeat steps 1,2,3 and create a patron with a password consisting of
3 characters (all lower case) and submit the form, notice the same form
is reloaded and a warning message at the top of the page informs you
that the patron wasn't created because the password was weak
10. Repeat steps 1,2,3 and create a patron with a password consisting of
3 characters (one lower case letter, one upper case letter and one
number) and submit the form and notice this time the next form in the onboarding is displayed with the message at the top of the screen informing you that the patron was successfully created
Sponsored-By: Catalyst IT
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch makes style and markup changes to the web installer and new
onboarding tool (Bug 17855).
- Markup has been corrected, improved, and in many places reindented.
- Some page titles have been made more specific.
- Some JavaScript and CSS have been moved to separate files.
In the onboarding tool I have removed form validation from the markup
and JavaScript in many cases where the requirements were not matched
elsewhere in Koha. For instance, we shouldn't limit item type
descriptions to only letters because the database doesn't require such a
limit.
To test, apply the patch and run the web installer with an empty
database. Confirm that the installation process completes correctly and
that each page looks good and works correctly.
Works as advertised
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch should not modify a lot the behaviours of the onboarding
tool.
Its goal is mainly to remove duplicated as well as useless (because
copy/pasted from existing script files) code.
It assumes that the onboarding tool will be done on an empty database
and will skip steps that are not needed. For instance if a library
already exists, the first step will be skipped.
One of the main problem was the lack of feedback messages sent to the
user when something wrong/ok happened.
Explanation on main changes:
1. Use checkauth first, then get_template_and_user
=> As we do not know the template to use, it's better to use checkauth
first to know if the user is logged in, then retrieve the template we
need, depending on the success or the failure of the action
2. Create a @messages variables
Pushing messages to this variable and handling the messages via an
include files (onboarding_messages.inc) simplify error handling. Note
that we could remove this include file if we merge all the
onboardingstepX.tt files altogether
3. Simplify creation of the admnistrator user
This patch removes some unecessary checks done on the user's info
(passwd to short, mandatory fields
Todo (minor): Add style to feedback messages
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
