Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/misc/cronjobs/rss
History
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
..
lastAcquired-1.0.conf
lastAcquired-1.0.tt
lastAcquired-2.0.conf
lastAcquired-2.0.tt
lastAcquired.conf
lastAcquired.tt
longestUnseen.conf
longestUnseen.tt
mostReserved.conf
mostReserved.tt
README
rss.pl
sm-koha-icon.jpg

README 

About:
rss.pl is meant to provide an extensible tool for creating RSS 0.91
formatted files suitable for syndication.  The script relies on two
external files for configuration information.  Rather than trying to
explain how this occurs, I'll show you using the provided lastAcquired
files.  There are currently three rss feeds bundled in this tarball
(lastAcquired, longestUnseen, and mostReserved), the config files for 
each of these should be modified to suit your local site.  A smallish 
Koha image (sm-koha-icon.jpg) is included as well.

Dependencies:
rss.pl depends on an installed Koha system, and uses the C4::Context
module it provides.

Details:
rss.pl is meant to be run from cron (probably once a day or so -- more
often at larger libraries depending on the report being generated).  It 
is invoked like this (in the case of lastAcquired):

 rss.pl /path/to/rssKoha/lastAcquired.conf 

The basic process is that rss reads the config file
(lastAcquired.conf) to determine RSS header information, the SQL query
used to generate the results, and the Template Tookit style used to
format the output.  Since you'll likely to want to create your own RSS
content, or at least modify the ones present here, let's review the
config file and the template file.

A config file is divided into three sections; channel, image, and
config.  A section begins with the name of the section occurring alone
on a line, and ends with the beginning of the next section (or the end
of the file).  Each of these sections contains series of configuration
options in the form:

name=content

The content section can contain spaces, but not newlines, special
characters, or html mark-up.  It's also important that there are no
blank lines within the config file.

Here's the lastAquired.conf by way of example: 

channel
title=Recent Koha Acquisitions
link=http://www.koha-community.org
desc=The 15 most recent acquisitions
lang=en
lastBuild=Fri, 09 May 2003 08:00:00
image
title=Koha, the worlds best Open Source Library System
url=http://www.koha-community.org/images/foo.jpg
link=http://www.koha-community.org
config
template=lastAcquired.tt
output=lastAcquired.xml
query=select biblioitems.isbn as isbn, biblio.title as title, biblio.author as author from biblio, biblioitems, items where biblioitems.biblionumber = items.biblionumber and biblio.biblionumber = items.biblionumber and items.dateaccessioned is not NULL order by items.dateaccessioned desc


This data (and the data acquired from the query) are then used to fill
in the template.  Most of the template is boilerplate and should not
be edited.  The section within the [% FOREACH i IN ITEMS %] ... [% END %]
is the part which can be modified to create your own RSS content.

Here's the lastAcquired.tt file:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE rss PUBLIC "-//Netscape Communications/DTD RSS 0.91/EN"
	  "http://my.netscape.com/publish/formats/rss-0.91.dtd">

<rss version="0.91">

<channel>
 <title>[% CHANNELTITLE %]</title>
 <link>[% CHANNELLINK %]</link>
 <description>[% CHANNELDESC %]</description>
 <language>[% CHANNELLANG %]</language>
 <lastBuildDate>[% CHANNELLASTBUILD %]</lastBuildDate>

 <image>
  <title>[% IMAGETITLE %]</title>
  <url>[% IMAGEURL %]</url>
  <link>[% IMAGELINK %]</link>
 </image>

[% FOREACH i IN ITEMS %]
 <item>
  <title>[% i.TITLE %], by [% i.AUTHOR %]</title>
  <link>http://opac.library.org.nz/cgi-bin/koha/opac-searchresults.pl?isbn=[% i.ISBN %]</link>
 </item>
[% END %]

</channel>
</rss>

Credits:
Originally written by Pat Eyler (pate@eylerfamily.org), suggestions,
advice, and help came from 'Content Syndication with RSS', Chris
Cormack, Mike Hansen, Steve Tonnesen and a variety of folks on #koha at 
irc.katipo.co.nz.
Updated for use with Template Toolkit by Kyle M Hall, ByWater Solutions