Koha/koha-tmpl/intranet-tmpl/prog/en/includes/authorities-search-results.inc
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

136 lines
5.3 KiB
HTML

[% BLOCK showreference %]
[%# Parameters: %]
[%# heading: the heading itself %]
[%# linkType: currently 'seefrom' or 'seealso', controls the label for the entry type: %]
[%# authid: if it is a linked authority, its authid %]
[% SET authidurl = '/cgi-bin/koha/authorities/detail.pl?authid=' %]
[% SET searchurl = '/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=any&operator=contains&orderby=HeadingAsc&value=' %]
[% IF marcflavour == 'UNIMARC' %]
[% SWITCH type %]
[% CASE 'broader' %]
<span class="BT"><abbr title="Broader Term">BT</abbr>: [% heading | html %]</span>
[% CASE 'narrower' %]
<span class="NT"><abbr title="Narrower Term">NT</abbr>: [% heading | html %]</span>
[% CASE 'seefrom' %]
<span class="UF"><abbr title="Used For">UF</abbr>: [% heading | html %]</span>
[% CASE 'seealso' %]
<span class="RT"><abbr title="Related Term">RT</abbr>: [% heading | html %]</span>
[% END %]
[% ELSE %]
<span class="heading">
[% IF ( linkType=='seealso' ) %]
[% IF ( authid ) %]
<a href="[% authidurl | url %][% authid | url %]">[% heading | html %]</a>
[% ELSE %]
<a href="[% searchurl | url %][% heading | html %]">[% heading | html %]</a>
[% END %]
[% ELSE %]
[% heading | html %]
[% END %]
</span>
[% UNLESS ( type=='seefrom' || type=='seealso' ) %]
<span class="type">
[% SWITCH type %]
[% CASE 'earlier' %](Earlier heading)
[% CASE 'later' %](Later heading)
[% CASE 'acronym' %](Acronym)
[% CASE 'musical' %](Musical composition)
[% CASE 'broader' %](Broader heading)
[% CASE 'narrower' %](Narrower heading)
[% CASE 'parent' %](Immediate parent body)
[% CASE %][% IF type %]([% type | html %])
[% END %]
[% END %]
</span>
[% END %]
[% END %]
[% END %]
[% BLOCK authresult %]
[% IF ( summary.label ) %][% summary.label | html %]:[% END %]
[% IF summary.summary %]
<div class="authority-summary">
[% summary.summary | html %]
</div>
[% END %]
[% UNLESS ( summary.summaryonly ) %]
<div class="authorizedheading">
[% FOREACH authorize IN summary.authorized %]
<span class="authorizedheading">[% authorize.heading | html %]</span>
[% UNLESS loop.last %] | [% END %]
[% END %]
</div>
[% IF ( marcflavour == 'UNIMARC' ) %]
[% IF summary.notes %]
<div class="authres_notes">
[% FOREACH note IN summary.notes %]
<span>[% note.note | html %]</span>
[% END %]
</div>
[% END %]
[% IF summary.seefrom %]
<div class="authres_seefrom">
[% FOREACH see IN summary.seefrom %]
[% PROCESS showreference heading=see.heading linkType="" type=see.type search='' %]
[% IF ! loop.last %] ; [% END %]
[% END %]
</div>
[% END %]
[% IF summary.seealso %]
<div class="authres_seealso">
[% FOREACH see IN summary.seealso %]
[% PROCESS showreference heading=see.heading linkType="" type=see.type search='' %]
[% IF ! loop.last %] ; [% END %]
[% END %]
</div>
[% END %]
[% IF summary.otherscript %]
<div class="authres_otherscript">
[% FOREACH other IN summary.otherscript %]
[% PROCESS language lang=other.lang | trim %]:
[% other.term | html %]
[% IF ! loop.last %] ; [% END %]
[% END %]
</div>
[% END %]
[% ELSE %]
[% IF ( summary.seefrom.size >= 1 ) %]
<div class="seefrom">
<span class="seefrom">used for/see from:</span>
[% FOREACH seefro IN summary.seefrom %]
<div class="authref">
[%# Following on one line for translatability %]
[% PROCESS showreference heading=seefro.heading linkType='seefrom' type=seefro.type authid=seefro.authid %]
</div>
[% END %]
</div>
[% END %]
[% IF ( summary.seealso.size >= 1 ) %]
<div class="seealso">
<span class="seealso">see also:</span>
[% FOREACH seeals IN summary.seealso %]
<div class="authref">
[%# Following on one line for translatability %]
[% PROCESS showreference heading=seeals.heading linkType='seealso' type=seeals.type authid=seeals.authid %]
</div>
[% END %]
</div>
[% END %]
[% END %]
[% END %]
[% END %]
[% BLOCK language %]
[% SWITCH lang %]
[% CASE ['en', 'eng'] %]English
[% CASE ['fr', 'fre'] %]French
[% CASE ['it', 'ita'] %]Italian
[% CASE ['de', 'ger', 'deu'] %]German
[% CASE ['es', 'spa'] %]Spanish
[% CASE ['heb'] %]Hebrew
[% CASE ['ara'] %]Arabic
[% CASE ['gre'] %]Greek (modern)
[% CASE ['grc'] %]Greek (to 1453)
[% CASE %][% lang | html %]
[% END %]
[% END %]