dcd1f5d48c
Here we go, next step then. As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain <script> tags - Remove them from borrower_debarments.comments (there are allowed here) update borrower_debarments set comment="html tags possible here"; - From the interface hit page and try to catch alert box. If you find one it means you find a possible XSS. To know where it comes from: * note the exact URL where you found it * note the alert box content * Dump your DB and search for the string in the dump to identify its location (for instance table.field) Next: * Ideally we would like to use the raw filter when it is not necessary to HTML escape the variables (in big loop for instance) * Provide a QA script to catch missing filters (we want html, uri, url or raw, certainly others that I am forgetting now) * Replace the html filters with uri when needed (!) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
52 lines
2.6 KiB
Text
52 lines
2.6 KiB
Text
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>Koha › Tools › Plugins › Upload plugin
|
|
</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
[% INCLUDE 'calendar.inc' %]
|
|
</head>
|
|
|
|
<body id="plugins_plugins_upload" class="plugins">
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'circ-search.inc' %]
|
|
|
|
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a>
|
|
› <a href="/cgi-bin/koha/plugins/plugins-home.pl">Plugins</a>
|
|
› Upload plugins
|
|
</div>
|
|
|
|
<div class="container-fluid">
|
|
<div class="row">
|
|
<div class="col-sm-6 col-sm-offset-3 col-md-6 col-md-offset-3">
|
|
|
|
<h1>Upload Koha plugin</h1>
|
|
[% IF ( ERRORS ) %]
|
|
<div class="dialog alert">
|
|
[% FOREACH ERROR IN ERRORS %]
|
|
[% IF ( ERROR.NOTKPZ ) %]<li><b>The upload file does not appear to be a kpz file. The extension is not '.kpz'.</b></li>
|
|
[% ELSIF ( ERROR.NOWRITETEMP ) %]<li><b>This script is not able to create/write to the necessary temporary directory.</b></li>
|
|
[% ELSIF ( ERROR.EMPTYUPLOAD ) %]<li><b>The upload file appears to be empty.</b></li>
|
|
[% ELSIF ( ERROR.UZIPFAIL ) %]<li><b>[% ERROR.UZIPFAIL | html %] failed to unpack.<br />Please verify the integrity of the zip file and retry.</b></li>
|
|
[% ELSIF ( ERROR.NOWRITEPLUGINS ) %]<li><b>Cannot unpack file to the plugins directory.<br />Please verify that the Apache user can write to the plugins directory.</b></li>
|
|
[% ELSE %]<li><b>[% ERROR.CORERR | html %] An unknown error has occurred.<br />Please review the error log for more details.</b></li>[% END %]
|
|
[% END %]
|
|
</div>
|
|
[% END %]
|
|
<form method="post" action="/cgi-bin/koha/plugins/plugins-upload.pl" enctype="multipart/form-data">
|
|
<fieldset class="brief">
|
|
<div class="hint"><b>NOTE:</b> Only KPZ file format is supported.</div>
|
|
<ol>
|
|
<li>
|
|
<label for="uploadfile">Select the file to upload: </label><input type="file" id="uploadfile" name="uploadfile" />
|
|
</li>
|
|
</ol>
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<input type="hidden" name="op" value="Upload" />
|
|
<input type="submit" value="Upload" class="submit" />
|
|
</fieldset>
|
|
</form>
|
|
|
|
</div>
|
|
</div>
|
|
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|