Main Koha release repository https://koha-community.org
Find a file
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
acqui Bug 21033: Remove few warns in acqui/basket.pl 2018-08-09 11:31:44 +00:00
admin Bug 21137: Replace USER_INFO with logged_in_user 2018-08-14 12:43:10 +00:00
api/v1 Bug 20942: Split debit and credit lines 2018-07-18 16:49:27 +00:00
authorities Bug 20273: Use compat routines for autocomplete in auth_finder.pl 2018-07-19 17:25:16 +00:00
basket Bug 16575: Irregular behaviour using window.print() followed by window.location.href 2018-07-19 16:12:56 +00:00
C4 Bug 21226: Remove xISBN services 2018-08-16 13:20:22 +00:00
catalogue Bug 21125: Shortcut moredetail.pl on nonexistent biblionumber 2018-08-10 12:23:04 +00:00
cataloguing Bug 19436: Add SRU support for authorities 2018-08-08 20:31:34 +00:00
circ Bug 20226: Centralize update child code (CATCODE_MULTI) 2018-08-14 11:58:26 +00:00
clubs
course_reserves Bug 20467: (QA follow-up) Display error if no or invalid course id is passed 2018-07-02 12:55:38 +00:00
debian Bug 20795: Inform the user about this change, add to pod 2018-08-14 12:35:13 +00:00
docs Bug 7143: Update about page for new dev - Vassilis Kanellopoulos 2018-08-10 10:21:00 +00:00
errors
etc Bug 21031: Apache Rewrite rules don't work for API when using anything but Debian package Plack configuration 2018-08-02 10:23:08 -03:00
ill Bug 20556: Marking ILL request as complete.. 2018-04-20 11:42:00 -03:00
installer Bug 21226: DBRev 18.06.00.015 2018-08-16 14:03:28 +00:00
Koha Bug 20226: Centralize update child code (CATCODE_MULTI) 2018-08-14 11:58:26 +00:00
koha-tmpl Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
labels Bug 12020: Allow translating label-edit-batch hardcoded strings 2018-03-26 17:31:15 -03:00
members Bug 21222: (bug 20226 follow-up) Fix patron creation 2018-08-16 13:19:54 +00:00
misc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
offline_circ Bug 19752: offline_circ/service.pl - Return HTTP status 401 when authentication failed and add option nocookie 2018-05-03 13:26:48 -03:00
opac Bug 21137: Replace BORROWER_INFO with logged_in_user 2018-08-14 12:43:12 +00:00
OpenILS
patron_lists Bug 19524: Use existing logged_in_user variable 2018-07-18 16:49:30 +00:00
patroncards Bug 8604: Patron cards made for patrons which don't have patron images use preceding card's image 2018-07-23 15:08:57 +00:00
plugins
reports Bug 20495: Remove get_saved_report 2018-07-02 12:06:54 +00:00
reserve Bug 20724: Move the ReservesNeedReturns logic to AddReserve 2018-05-16 10:53:13 -03:00
reviews Bug 18789: Send Koha::Patron object to the templates 2018-02-16 13:03:58 -03:00
rotating_collections
serials Bug 20730: Move the authentication block before doing anything 2018-05-23 11:44:10 -03:00
services
skel
suggestion Bug 21048: (QA follow-up) Fix authorized value statuses in filter 2018-08-08 20:58:23 +00:00
svc Bug 17698: Make patron notes show up on staff dashboard 2018-07-23 15:23:40 +00:00
t Bug 21226: Remove xISBN services 2018-08-16 13:20:22 +00:00
tags
test
tmp/modified_authorities
tools Bug 19633: Use alphanumeric error codes in upload 2018-08-10 10:10:46 +00:00
virtualshelves
xt Bug 20906: Fix translatable-templates.t 2018-06-22 12:59:09 +00:00
.editorconfig
.gitignore Bug 20427: Convert OPAC LESS to SCSS 2018-08-09 15:17:07 +00:00
.htaccess
.mailmap
.sass-lint.yml Bug 19474: (QA follow-up) Fix sass lint yaml configuration 2018-08-09 15:12:20 +00:00
.scss-lint.yml Bug 20427: Convert OPAC LESS to SCSS 2018-08-09 15:17:07 +00:00
about.pl Bug 20727: (QA follow-up) Remove a few use statements again 2018-06-22 16:10:10 +00:00
changelanguage.pl
edithelp.pl
fix-perl-path.PL
gulpfile.js Bug 20427: Convert OPAC LESS to SCSS 2018-08-09 15:17:07 +00:00
help.pl
INSTALL
install-CPAN.pl
Koha.pm Bug 21226: DBRev 18.06.00.015 2018-08-16 14:03:28 +00:00
koha_perl_deps.pl
kohaversion.pl
LICENSE
mainpage.pl Bug 17698: Do not send pending_checkout_notes from all circ scripts 2018-07-23 15:23:44 +00:00
Makefile.PL Bug 21195: Ignore files used for SCSS build process 2018-08-10 12:39:01 +00:00
MANIFEST.SKIP
package.json Bug 19474: Convert staff client CSS to SCSS 2018-08-09 15:12:20 +00:00
README
README.md
README.robots
rewrite-config.PL Bug 18342: Enable memcached by default for new installs 2018-05-03 12:47:07 -03:00
yarn.lock Bug 19474: Convert staff client CSS to SCSS 2018-08-09 15:12:20 +00:00

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-community.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo