Main Koha release repository https://koha-community.org
Find a file
Jonathan Druart b0cf6c087b
Bug 31219: Prevent JS injection in patron extended attributes
We are sanitizing other attributes but "extended patron attributes".

Test plan:
Make a patron attribute editable at the OPAC
Edit an existing patron, or register a new one
Use a script tag in the new value ("<script>alert("booh!")</script>" for
instance)
With this patch the value is remove if containing an HTML tag that is
not br b i em big small strong (see C4::Scrubber)

Signed-off-by: Mark Hofstetter <koha@trust-box.at>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-10-24 14:40:41 -03:00
acqui Bug 31115: Add additional field filtering for invoice search 2022-10-24 14:11:07 -03:00
admin Bug 15048: Index all possible searched subfields for index-term-genre 2022-10-24 14:39:38 -03:00
api Bug 30588: Add the option to require 2FA setup on first staff login 2022-10-21 11:36:57 -03:00
authorities Bug 29333: Fix encoding of imported UNIMARC authorities 2022-07-08 15:43:33 -03:00
basket Bug 31309: Remove GetItemsInfo from basket/sendbasket 2022-08-16 09:22:14 -03:00
bin Bug 20582: Turn Koha into a Mojolicious application 2020-10-06 12:00:04 +02:00
C4 Bug 31115: Add additional_attributes support to GetInvoices 2022-10-24 14:11:07 -03:00
catalogue Bug 17170: Add admin page for filters and ability to edit/save existing filters 2022-10-21 11:15:16 -03:00
cataloguing Bug 29662: (bug 27526 follow-up) Prefill all subfields if SubfieldsToUseWhenPrefill is empty 2022-10-21 11:34:01 -03:00
circ Bug 25426: Allow return policy to be selected via syspref and not just home library 2022-10-18 09:14:52 -03:00
clubs Bug 30718: Use flatpickr's altInput 2022-08-19 08:26:31 -03:00
course_reserves Bug 30409: barcodedecode() should always trim barcode 2022-06-14 07:54:58 -03:00
debian Bug 25716: (QA follow-up) Move additional options to etc/z3950/config.xml 2022-10-24 13:11:27 -03:00
docs Bug 30808: Add the 22.05 release team. 2022-05-25 23:56:12 -10:00
errors Bug 29420: HTTP status code incorrect when calling error pages directly under Plack/PSGI 2022-04-20 09:03:39 -10:00
etc Bug 15048: Index all possible searched subfields for index-term-genre 2022-10-24 14:39:38 -03:00
ill Bug 28909: Allow illview to use backend template 2022-08-09 13:21:39 -03:00
installer Bug 31715: Fix dbrev permissions 2022-10-24 14:34:36 -03:00
Koha Bug 22678: (follow-up) Array ref expected in context key 2022-10-24 14:37:05 -03:00
koha-tmpl Bug 31577: Use patron category multi-select for OpacHiddenItemsExceptions system preference 2022-10-24 14:15:27 -03:00
labels Bug 31633: (follow-up) Group template params 2022-10-03 14:09:59 -03:00
lib/CGI/Session/Serialize Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
members Bug 31739: Password recovery from staff fails if previous expired reset-entry exists. 2022-10-24 14:12:16 -03:00
misc Revert "Bug 15187: Index 880 in Zebra the same as Elasticsearch" 2022-10-24 14:03:44 -03:00
offline_circ Bug 30016: Remove GetOpenIssue subroutine 2022-08-31 08:50:37 -03:00
opac Bug 31219: Prevent JS injection in patron extended attributes 2022-10-24 14:40:41 -03:00
patron_lists Bug 16446: Add ability to add patrons to list by borrowernumber 2021-10-21 12:24:04 +02:00
patroncards Bug 24001: Fix patron card template edition 2022-04-28 10:49:20 -10:00
plugins Bug 29787: Add plugin version to plugin search results 2022-04-08 15:49:15 +02:00
pos Bug 30619: Add email receipt to POS 2022-09-07 15:59:34 -07:00
recalls Bug 30924: Add missing branchtransfers.reason value for recall cancellation 2022-06-13 10:30:51 -03:00
reports Bug 28967: Patrons with no checkouts report shows patrons from other libraries with IndependentBranches 2022-10-17 08:10:59 -03:00
reserve Bug 31575: Missing warning for holds where AllowHoldPolicyOverride can be used to force a hold to be placed 2022-10-11 10:12:35 -03:00
reviews Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
rotating_collections Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
serials Bug 29608: Made so doesn't require full permission 2022-09-07 13:49:53 -07:00
services Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
skel Bug 11078: Add locking to rebuild_zebra 2014-02-28 22:21:41 +00:00
suggestion Bug 30718: Use flatpickr's altInput 2022-08-19 08:26:31 -03:00
svc Bug 31682: Silence automatic linker warn 2022-10-11 10:41:23 -03:00
t Bug 31577: Use patron category multi-select for OpacHiddenItemsExceptions system preference 2022-10-24 14:15:27 -03:00
tags Bug 30718: Use flatpickr's altInput 2022-08-19 08:26:31 -03:00
tmp/modified_authorities changing DO_NOT_REMOVE to README.txt 2007-10-21 19:14:41 -05:00
tools Bug 31590: Remove Text::CSV::Unicode 2022-09-21 16:07:21 -03:00
virtualshelves Bug 28375: (follow-up) Use C4::Context->interface 2022-10-20 11:50:53 -03:00
xt Bug 31590: Remove Text::CSV::Unicode 2022-09-21 16:07:21 -03:00
.editorconfig Bug 27375: Set YAML file settings in .editorconfig 2021-11-03 15:40:52 +01:00
.eslintrc.json Bug 23834: Add default ESLint configuration 2019-11-03 08:02:39 +00:00
.gitignore Bug 20427: Convert OPAC LESS to SCSS 2018-08-09 15:17:07 +00:00
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap 22.05.00: Update mailmap 2022-05-25 23:56:12 -10:00
.perlcriticrc Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
.proverc.dist Bug 19821: Install sample data, ES mappings and Version syspref 2021-10-25 11:27:40 +02:00
.stylelintrc.json Bug 31528: (follow-up) A few additional rules 2022-10-03 08:23:15 -03:00
about.pl Bug 29744: (QA follow-up) Call psgi_env in OO style 2022-09-22 08:11:58 -03:00
app.psgi Bug 20582: Fix PSGI file when behind a reverse proxy 2020-10-06 12:00:04 +02:00
changelanguage.pl Bug 25898: Prohibit indirect object notation 2020-10-15 12:56:30 +02:00
cpanfile Bug 31588: Update cpanfile for new OpenAPI versions (master) 2022-10-21 11:32:51 -03:00
fix-perl-path.PL Bug 28606: Remove $DEBUG and $ENV{DEBUG} 2021-06-24 11:53:44 +02:00
gulpfile.js Bug 30373: Enable translation of UNIMARC frameworks 2022-04-21 13:41:35 -10:00
help.pl Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
INSTALL Bug 26617: Update INSTALL file to include koha-testing-docker and Gitlab links 2020-10-15 12:56:30 +02:00
Koha.pm Bug 31577: DBRev 22.06.00.070 2022-10-24 14:19:42 -03:00
koha_perl_deps.pl Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
kohaversion.pl Bug 26384: Fix executable flags 2020-09-11 09:56:56 +02:00
LICENSE Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
mainpage.pl Bug 30650: Add filter_by_scheduled_today 2022-07-29 15:00:47 -03:00
Makefile.PL Bug 19532: Database and installer stuff 2022-03-14 22:45:50 -10:00
MANIFEST.SKIP Bug 9546 : Updating make manifest tardist 2013-02-06 23:54:46 -05:00
package.json Bug 31528: Replace scss-lint configuration with one for stylelint 2022-10-03 08:23:14 -03:00
README Bug 9440 - update Koha's LICENSE file from GPL2 to GPL3 2013-02-12 08:52:10 -05:00
README.md Bug 27092: Remove note about "synced repo" from README.md 2020-11-25 16:31:58 +01:00
README.robots Bug 6411 add another example to README.robots 2011-07-05 14:48:05 +12:00
rewrite-config.PL Bug 28519: Put CGI::Session::Serialize::yamlxs in lib directory 2021-06-17 10:07:36 +02:00
yarn.lock Bug 31528: Replace scss-lint configuration with one for stylelint 2022-10-03 08:23:14 -03:00

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-community.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo