git.koha-community.org Git - koha.git/commit

author	David Cook <dcook@prosentient.com.au>
	Tue, 20 Aug 2024 00:12:21 +0000 (00:12 +0000)
committer	Katrin Fischer <katrin.fischer@bsz-bw.de>
	Thu, 7 Nov 2024 15:29:18 +0000 (16:29 +0100)
commit	e8e00cfeb30391009391849c0194a0ff0603d78c
tree	02b9f3fc8a5dca312938702a8fbfd5eaca4a58a8	tree \| snapshot
parent	a10b18289b78a96de0460ee37752f300862d6686	commit \| diff

Bug 22223: Add filter to make item URLs safe in template output

This change adds a "safe_url" filter which takes a text input and
returns a Perl URL object which stringifies to a safe URL.

This change is only needed in the OPAC as the staff interface
handles the item URL display using Javascript not Template Toolkit.

0. Apply patch and koha-plack --restart kohadev
1. Create an item for a record using the following URL
https://koha-community.org?url=https%3A%2F%2Fkoha-community.org
2. Go to the OPAC for that record and verify that the URL is
not double-escaped
3. Create a malicious payload (talk to QA/security team for this if necessary)
4. Note that the malicious payload is escaped
5. prove t/Koha/Plugins/SafeURL.t
6. Celebrate!

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Koha/Template/Plugin/SafeURL.pm	[new file with mode: 0644]	blob
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt		diff \| blob \| history
t/Koha/Plugins/SafeURL.t	[new file with mode: 0755]	blob