Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-password-recovery.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

138 lines
7.2 KiB
Text
Raw Blame History

[% USE Koha %]
[% INCLUDE 'doc-head-open.inc' %]
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %] - Forgotten password recovery[% ELSE %]Koha online[% END %] catalog - Forgotten password recovery</title>
[% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %][% END %]
[% BLOCK jsinclude %]
<script>
$(function() {
$("#CheckAll").click(function(){
$("[name=deleteRequest]").attr('checked', true);
return false;
});
$("#CheckNone").click(function(){
$("[name=deleteRequest]").attr('checked', false);
return false;
});
$("select#type").change(function() {
$("fieldset#serial, fieldset#book, fieldset#chapter").hide()
$("fieldset#" + $(this).val() ).show();
});
});
</script>
[% END %]
</head>
[% INCLUDE 'bodytag.inc' bodyid='opac-password-recovery' %]
[% INCLUDE 'masthead.inc' %]
<div class="main">
<ul class="breadcrumb">
<li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
<li><a href="#">Forgotten password recovery</a></li>
</ul>
<div class="container-fluid">
<div class="row-fluid">
<div class="span2">
[% IF ( OpacPublic ) %]
<div id="navigation">
[% INCLUDE 'navigation.inc' IsPatronPage=0 %]
</div>
[% END %]
</div>
<div class="span10">
<h3>Forgotten password recovery</h3>
[% IF (hasError) %]
<div class="alert alert-warning">
<h3>Error</h3>
<p>
[% IF (sendmailError) %]
An error has occurred while sending you the password recovery link.
<br/>Please try again later.
[% ELSIF (errNoBorrowerFound) %]
No account was found with the provided information.
[% ELSIF (errMultipleAccountsForEmail) %]
Account identification with this email address only is ambiguous.
<br />Please use the field 'Login' as well.
[% ELSIF (errAlreadyStartRecovery) %]
The process of password recovery has already been started for this account
[% IF username %]
("<strong>[% username | html %]</strong>")
[% ELSIF email %]
("<strong>[% email | html %]</strong>")
[% END %]
<br/>You should have received an email with a link to reset your password.
<br/>If you did not receive this email, you can request a new one: <a href="/cgi-bin/koha/opac-password-recovery.pl?resendEmail=true&email=[% email | html %]&username=[% username | html %]">Get new password recovery link</a>
[% ELSIF (errPassNotMatch) %]
The passwords do not match.
[% ELSIF password_too_short %]
<li>Password must be at least [% minPasswordLength | html %] characters long.</li>
[% ELSIF password_too_weak %]
<li>Password must contain at least one digit, one lowercase and one uppercase.</li>
[% ELSIF password_has_whitespaces %]
<li>Password must not contain leading or trailing whitespaces.</li>
[% ELSIF (errLinkNotValid) %]
The link you clicked is either invalid, or expired.
<br/>Be sure you used the link from the email, or contact library staff for assistance.
[% END %]
</p>
<p>Please contact the library if you need further assistance.</p>
</div>
[% END %]
<div id="password-recovery">
[% IF (!Koha.Preference('OpacResetPassword')) %]
<div class="alert alert-info">You can't reset your password.</div>
[% ELSIF (password_recovery) %]
<form action="/cgi-bin/koha/opac-password-recovery.pl" method="post" autocomplete="off">
<input type="hidden" name="koha_login_context" value="opac" />
<fieldset>
<p>To reset your password, enter your login or your email address.
<label for="username">Login:</label>
<input type="text" id="username" size="40" name="username" value="[% username | html %]" />
<label for="email">Email:</label>
<input type="text" id="email" size="40" name="email" value="[% email | html %]" />
<fieldset class="action">
<input type="submit" value="Submit" class="btn" name="sendEmail" />
</fieldset>
</fieldset>
</form>
[% ELSIF (new_password) %]
<form action="/cgi-bin/koha/opac-password-recovery.pl" method="post" autocomplete="off">
<input type="hidden" name="koha_login_context" value="opac" />
<fieldset>
<div class="alert alert-info">The password must contain at least [% minPasswordLength | html %] characters.</div>
<label for="password">New password:</label>
<input type="password" id="password" size="40" name="password" />
<label for="repeatPassword">Confirm new password:</label>
<input type="password" id="repeatPassword" size="40" name="repeatPassword" />
<fieldset class="action">
<input type="hidden" name="username" value="[% username | html %]" />
<input type="hidden" name="uniqueKey" value="[% uniqueKey | html %]" />
<input type="submit" value="Submit" class="btn" name="passwordReset" />
</fieldset>
</fieldset>
</form>
[% ELSIF (mail_sent) %]
<div class="alert alert-info">
<p>
You will receive an email shortly.
<br/>Please click the link in this email to finish the process of resetting your password.
<br/>This link is valid for 2 days starting now.
</p>
<a href="/cgi-bin/koha/opac-main.pl"">Return to the main page</a>
</div>
[% ELSIF (password_reset_done) %]
<div class="alert alert-success">
<p>The password has been changed for user "[% username | html %]".</p>
<a href="/cgi-bin/koha/opac-user.pl">Click here to login.</a>
</div>
[% END %]
</div><!-- / #password-recovery -->
</div><!-- / .span10 -->
</div><!-- / .row-fluid -->
</div><!-- / .container-fluid -->
</div><!-- / .main -->
[% INCLUDE 'opac-bottom.inc' %]
View git blame Copy permalink