Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/includes
History
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
..
catalogue Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
csv_headers Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
modals Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
str Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
virtualshelves/merge Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
account_offset_type.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
accounttype.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
acquisitions-add-to-basket.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
acquisitions-menu.inc Bug 11911: Add a separate permission for managing suggestions 2018-07-23 15:34:20 +00:00
acquisitions-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
acquisitions-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
additem.js.inc Bug 14752 - (QA followup) Remove annoying modal, use dialog box instead 2016-09-13 17:21:05 +00:00
admin-items-search-field-form.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
admin-menu.inc Bug 7651: (follow-up) Correct visibility on admin sidebar 2018-07-18 17:45:21 +00:00
adv-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
auth-finder-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
authorities-search-results.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
authorities-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
authorities-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
authorities.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
authorities_js.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
av-build-dropbox.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
biblio-default-view.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
biblio-view-menu.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
blocked-fines.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
blocking_errors.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
borrower_debarments.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
branch-selector.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
browser-strings.inc
budgets-active-currency.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
budgets-admin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
budgets-admin-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
calendar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
cat-menu.inc
cat-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
cat-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
catalog-strings.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
cataloging-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
cateditor-ui.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
cateditor-widgets-marc21.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
checkin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
checkouts-table-footer.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
checkouts-table.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
circ-menu.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
circ-nav.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
circ-patron-search-results.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
circ-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
cities-admin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
columns_settings.inc Bug 18791: Export visible columns only 2018-04-13 13:55:22 -03:00
contracts-admin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
country-list.inc Bug 14608: Move country list to an include file 2017-03-22 23:51:30 +00:00
currencies-admin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
datatables.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
date-format.inc Bug 12072: Make datepicker and templates to be aware of dmydot format 2015-11-19 13:15:19 -03:00
delimiter_text.inc Bug 19910: Use span to make translators happy 2018-04-04 16:06:56 -03:00
doc-head-close-receipt.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
doc-head-close.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
doc-head-open.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
empty_line.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
facets.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
form-blocks.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
format_price.inc Bug 16768: (followup) Add Swiss format for datatables (format_price.inc) 2016-06-24 14:00:03 +00:00
greybox.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
guided-reports-view.inc Bug 19856: Improve styling of reports sidebar 2018-03-23 11:45:38 -03:00
header.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
help-bottom.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
help-top.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
home-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
html_helpers.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
ill-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
installer-doc-head-close.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
installer-strings.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
intranet-bottom.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
intranetstylesheet.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
js_includes.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
labels-toolbar.inc Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos 2018-02-12 15:41:38 -03:00
langmenu-staff-top.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
letters-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-alt-address-style-de.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-alt-address-style-fr.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-alt-address-style-us.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-alt-contact-style-de.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-alt-contact-style-fr.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-alt-contact-style-us.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-display-address-style-de.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-display-address-style-fr.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-display-address-style-us.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-display-alt-address-style-de.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-display-alt-address-style-fr.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-display-alt-address-style-us.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-main-address-style-de.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-main-address-style-fr.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
member-main-address-style-us.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
members-menu.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
members-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
merge-record-strings.inc Bug 8064: Change the way target record is built. 2015-11-09 15:08:57 -03:00
merge-record.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
messaging-preference-form.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
nl-search-form.tt Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
noadd-warnings.inc Bug 17082: Translatability: Fix sentence splitting in member.tt 2016-08-10 13:49:48 +00:00
onboarding_messages.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
page-numbers.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
password_check.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
patron-article-requests.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
patron-search-box.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
patron-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
patron-title.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
patron-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
patroncards-errors.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
patroncards-toolbar.inc Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos 2018-02-12 15:41:38 -03:00
patrons-admin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
permissions.inc Bug 11911: Add a separate permission for managing suggestions 2018-07-23 15:34:20 +00:00
popup-bottom.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
prefs-admin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
prefs-menu.inc Bug 19538: Move EnableAdvancedCatalogingEdtor from 'Labs' to 'Cataloging' 2018-04-11 16:45:09 -03:00
quotes-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
quotes-upload-toolbar.inc Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
reports-menu.inc Bug 19856: (follow-up) Improve styling of reports sidebar 2018-03-23 11:45:38 -03:00
reports-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
resort_form.inc
rotating-collections-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
search_indexes.inc Bug 19807: Make IntranetCatalogSearchPulldown honor IntranetNumbersPreferPhrase 2018-01-02 12:58:55 -03:00
select2.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
serials-menu.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
serials-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
serials-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
slip-print.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
strings.inc Bug 21029: Make "Suspend until:" translatable 2018-07-06 10:13:52 +00:00
subscriptions-search.inc Bug 17537: Fix valid-templates.t for some include files 2016-11-04 11:03:48 +00:00
subtypes_unimarc.inc Bug 16557 - Remove the use of "onclick" from several include files 2016-06-24 13:51:01 +00:00
suggestions-add-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
timepicker.inc
tools-item-action.inc
tools-menu.inc Bug 11317: (QA follow-up) Change tool name to be more general 2018-05-03 13:26:50 -03:00
tools-nomatch-action.inc
tools-overlay-action.inc
validator-strings.inc
vendor-menu.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
virtualshelves-toolbar.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
wysiwyg-systempreferences.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
xslt-handler.inc Bug 20272: Changes for Breeding.pm and Record.pm 2018-07-02 12:12:49 +00:00
z3950-admin-search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00
z3950_search.inc Bug 13618: Add html filters to all the variables 2018-08-17 15:55:05 +00:00