Koha/misc
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
..
admin
bin
cronjobs Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
devel Bug 21087: (QA follow-up) Fix usage in create_superlibrarian.pl 2018-07-30 22:51:32 -03:00
interface_customization Bug 20647: (alternate) When ILL is enabled the hover effect on the ILL requests button is wrong 2018-08-10 10:38:12 +00:00
load_testing Bug 17829: Move GetMember to Koha::Patron 2017-07-10 13:14:19 -03:00
maintenance Bug 19454: (QA follow-up) Fix selection on categorycode 2018-03-23 11:45:38 -03:00
migration_tools Bug 20811: (RM follow-up) fix check for matching 2018-07-23 15:08:56 +00:00
release_notes Bug 20818: Add missing QA Manager entry in 18.05.00 release notes 2018-05-29 14:05:31 +00:00
search_tools Bug 17372: Standardize Elasticsearch paths 2016-10-11 01:07:03 +00:00
translator Fix translation issues 2018-05-24 14:30:21 -03:00
batchCompareMARCvsFrameworks.pl
batchdeletebiblios.pl
batchDeleteUnusedSubfields.pl
batchImportMARCWithBiblionumbers.pl
batchRebuildBiblioTables.pl Bug 19040: Refactor GetMarcBiblio parameters 2017-08-25 10:23:42 -03:00
batchRebuildItemsTables.pl Bug 20893: batchRebuildItemsTables.pl has incorrect parameter 2018-06-29 19:40:16 +00:00
batchRepairMissingBiblionumbers.pl Bug 19040: Refactor GetMarcBiblio parameters 2017-08-25 10:23:42 -03:00
check_sysprefs.pl
commit_file.pl
export_borrowers.pl Bug 17829: Move GetMember to Koha::Patron 2017-07-10 13:14:19 -03:00
export_records.pl Bug 19730: (follow-up bug 17196) Use biblio_metadata.timestamp in export_records.pl 2018-02-02 12:08:42 -03:00
exportauth.pl
import_patrons.pl Bug 12598: Fix POD 2018-02-16 14:05:18 -03:00
koha-install-log Bug 18920: Save DB_USE_TLS and FONT_DIR to install log 2017-10-27 16:07:15 -03:00
kohalib.pl
link_bibs_to_authorities.pl Bug 19040: Refactor GetMarcBiblio parameters 2017-08-25 10:23:42 -03:00
mod_zebraqueue.pl
perlmodule_ls.pl
perlmodule_rm.pl
recreateIssueStatistics.pl
sax_parser_print.pl Bug 17626 (QA followup) 2016-11-22 11:29:07 +00:00
sax_parser_test.pl
sip_cli_emulator.pl Bug 16757 - Add support for Fee Paid to SIP cli emulator for testing 2017-03-31 13:56:37 +00:00
stage_file.pl Bug 19049: Fix regression on stage-marc-import with to_marc plugin 2017-08-15 12:17:41 -03:00