git.koha-community.org Git - koha.git/commit

author	David Cook <dcook@prosentient.com.au>
	Tue, 20 Aug 2024 00:12:21 +0000 (00:12 +0000)
committer	Lucas Gass <lucas@bywatersolutions.com>
	Thu, 5 Dec 2024 21:38:46 +0000 (21:38 +0000)
commit	629d2a6f6ca168b9d434017cd785e10dc281f3e7
tree	eac0f7fc659babe3b5556405a1e8ff8f5e3ce255	tree \| snapshot
parent	fde180efbf1fd79e9af8f866ad230560f40d608a	commit \| diff

Bug 22223: Add filter to make item URLs safe in template output

This change adds a "safe_url" filter which takes a text input and
returns a Perl URL object which stringifies to a safe URL.

This change is only needed in the OPAC as the staff interface
handles the item URL display using Javascript not Template Toolkit.

0. Apply patch and koha-plack --restart kohadev
1. Create an item for a record using the following URL
https://koha-community.org?url=https%3A%2F%2Fkoha-community.org
2. Go to the OPAC for that record and verify that the URL is
not double-escaped
3. Create a malicious payload (talk to QA/security team for this if necessary)
4. Note that the malicious payload is escaped
5. prove t/Koha/Plugins/SafeURL.t
6. Celebrate!

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e8e00cfeb30391009391849c0194a0ff0603d78c)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

Koha/Template/Plugin/SafeURL.pm	[new file with mode: 0644]	blob
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt		diff \| blob \| history
t/Koha/Plugins/SafeURL.t	[new file with mode: 0755]	blob