dcd1f5d48c
Here we go, next step then. As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain <script> tags - Remove them from borrower_debarments.comments (there are allowed here) update borrower_debarments set comment="html tags possible here"; - From the interface hit page and try to catch alert box. If you find one it means you find a possible XSS. To know where it comes from: * note the exact URL where you found it * note the alert box content * Dump your DB and search for the string in the dump to identify its location (for instance table.field) Next: * Ideally we would like to use the raw filter when it is not necessary to HTML escape the variables (in big loop for instance) * Provide a QA script to catch missing filters (we want html, uri, url or raw, certainly others that I am forgetting now) * Replace the html filters with uri when needed (!) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
30 lines
2 KiB
PHP
30 lines
2 KiB
PHP
<script type="text/javascript">
|
|
/* Strings for translation */
|
|
var MSG_REPLACE_RECORD = _("Please note that this external search could replace the current record.");
|
|
var MSG_DELETE_ALL_ITEMS = _("%s item(s) are attached to this record. You must delete all items before deleting this record.");
|
|
var CONFIRM_RECORD_USED_IN_ORDERS = _("Warning: This record is used in %s order(s). Deleting it could cause serious issues on acquisition module. Are you sure you want to delete this record?");
|
|
var MSG_RECORD_USED_IN_ORDERS = _("%s order(s) are using this record. You need order managing permissions to delete this record.");
|
|
var CONFIRM_IN_DELETED_ORDERS = _("%s deleted order(s) are using this record. Are you sure you want to delete this record?");
|
|
var MSG_IN_DELETED_ORDERS = _("%s deleted order(s) are using this record. You need order managing permissions to delete this record.");
|
|
var CONFIRM_DELETION_HOLDS = _("%s holds(s) for this record. Are you sure you want to delete this record?");
|
|
var CONFIRM_RECORD_DELETION = _("Are you sure you want to delete this record?");
|
|
var MSG_DELETE_ALL_HOLDS = _("%s hold(s) on this record. You must delete all holds before deleting all items.");
|
|
var CONFIRM_DELETE_ITEMS = _("Are you sure you want to delete the %s attached items?");
|
|
var MSG_NO_ITEMS = _("This record has no items.");
|
|
|
|
/* Some required variables from the template */
|
|
var biblionumber = [% biblionumber | html %];
|
|
var count = [% count | html %];
|
|
var holdcount = [% holdcount | html %];
|
|
var countorders = [% countorders | html %];
|
|
var countdeletedorders = [% countdeletedorders | html %];
|
|
|
|
/* provide Z3950 search points */
|
|
function GetZ3950Terms(){
|
|
var strQuery="&frameworkcode=";
|
|
[% FOREACH z3950_search_param IN z3950_search_params %]
|
|
strQuery += "&" + "[% z3950_search_param.name |uri %]" + "=" + "[% z3950_search_param.value |uri %]";
|
|
[% END %]
|
|
return strQuery;
|
|
}
|
|
</script>
|