Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

157 lines
6.7 KiB
Text

[% USE raw %]
[% USE Asset %]
[% USE Koha %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patrons &rsaquo; [% IF ( newpassword ) %]Password updated [% ELSE %]Update password for [% patron.surname | html %], [% patron.firstname | html %][% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
</head>
<body id="pat_member-password" class="pat">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'patron-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a> &rsaquo; <a href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% patron.borrowernumber | html %]">[% patron.firstname | html %] [% patron.surname | html %]</a> &rsaquo; [% IF ( newpassword ) %]Password Updated[% ELSE %]Change username and/or password[% END %]</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% INCLUDE 'members-toolbar.inc' %]
[% IF ( newpassword ) %]
<h1>Password Updated</h1>
[% ELSE %]
<form method="post" id="changepasswordf" action="/cgi-bin/koha/members/member-password.pl">
<input type="hidden" name="destination" value="[% destination | html %]" />
<input type="hidden" name="cardnumber" value="[% patron.cardnumber | html %]" />
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" />
[% IF ( errormsg ) %]
<div class="dialog alert">
<h4>The following errors have occurred:</h4>
<ul>
[% IF ( BADUSERID ) %]
<li>You have entered a username that already exists. Please choose another one.</li>
[% END %]
[% IF ( ERROR_password_too_short ) %]
<li id="ERROR_short_password">Password must be at least [% Koha.Preference('minPasswordLength') | html %] characters long.</li>
[% END %]
[% IF ( ERROR_password_too_weak ) %]
<li id="ERROR_weak_password">Password must contain at least one digit, one lowercase and one uppercase.</li>
[% END %]
[% IF ( ERROR_password_has_whitespaces ) %]
<li id="ERROR_weak_password">Password must not contain leading or trailing whitespaces.</li>
[% END %]
[% IF ( NOPERMISSION ) %]
<li>You do not have permission to edit this patron's login information.</li>
[% END %]
[% IF ( NOMATCH ) %]
<li><strong>The passwords entered do not match</strong>. Please re-enter the new password.</li>
[% END %]
</ul>
</div>
[% END %]
<fieldset class="brief"><legend>Change username and/or password for [% patron.firstname | html %] [% patron.surname | html %]</legend>
<ol>
<li><label for="newuserid">New username:</label>
<input type="hidden" name="member" value="[% patron.borrowernumber | html %]" /><input type="text" id="newuserid" name="newuserid" size="20" value="[% patron.userid | html %]" /></li>
[% SET password_pattern = ".{" _ Koha.Preference('minPasswordLength') _ ",}" %]
[% IF Koha.Preference('RequireStrongPassword') %]
[% SET password_pattern = '(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{' _ Koha.Preference('minPasswordLength') _ ',}' %]
[% END %]
<li>
<label for="newpassword">New password:</label>
<div class="hint">Koha cannot display existing passwords. Leave the field blank to leave password unchanged.</div>
<input name="newpassword" id="newpassword" type="password" size="20" />
</li>
<li>
<label for="newpassword2">Confirm new password:</label>
<input name="newpassword2" id="newpassword2" type="password" size="20" />
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="hidden" name="csrf_token" value="[% csrf_token | html %]" />
<input type="submit" value="Save" />
<a class="cancel" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% patron.borrowernumber | html %]">Cancel</a>
</fieldset>
</form>[% END %]
</div>
</div>
<div class="loading hide"><strong>Processing...</strong><img src="[% interface | html %]/[% theme | html %]/img/loading.gif" alt="" /></div>
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% INCLUDE 'str/members-menu.inc' %]
[% Asset.js("js/members-menu.js") | $raw %]
<script type="text/JavaScript">
function generate_password() {
// Always generate a strong password
var chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
var length = [% Koha.Preference('minPasswordLength') | html %];
if ( length < 8 ) length = 8;
var password='';
for ( var i = 0 ; i < length ; i++){
password += chars.charAt(Math.floor(Math.random()*chars.length));
}
return password;
}
$(document).ready(function() {
$("body").on('click', "#fillrandom",function(e) {
e.preventDefault();
var password = '';
var pattern_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{[% Koha.Preference('minPasswordLength') | html %],}/;
while ( ! pattern_regex.test( password ) ) {
password = generate_password();
}
$("#newpassword").val(password);
$("#newpassword").attr('type', 'text');
$("#newpassword2").val(password);
$("#newpassword2").attr('type', 'text');
});
$("div.hint").eq(0).after(" <div class=\"hint\"><a href=\"#\" id=\"fillrandom\">"+_("Click to fill with a randomly generated suggestion. ")+"<strong>"+_("Passwords will be displayed as text")+"</strong>.</a></div>");
$(document).ajaxStart(function () {
$("input[name^=newpassword]").hide();
$("label[for=newpassword2]").hide();
$(".hint:last").after($(".loading").show());
});
$(document).ajaxStop(function () {
$("input[name^=newpassword]").show();
$("label[for=newpassword2]").show();
$(".loading").hide();
$("label.error").hide();
});
[% IF NOMATCH %]
$("#newpassword").addClass('focus');
[% END %]
$("#changepasswordf").validate({
rules: {
newpassword: {
password_strong: true,
password_no_spaces: true
},
newpassword2: {
password_match: true
}
}
});
});
</script>
[% PROCESS 'password_check.inc' %]
[% PROCESS 'add_password_check' new_password => 'newpassword' %]
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]