[Bug 13618] Prevent XSS in the Staff Client and the OPAC

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Bug 13618] Prevent XSS in the Staff Client and the OPAC

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Failed QA                   |Needs Signoff

--- Comment #222 from Jonathan Druart <[hidden email]> ---
(In reply to Owen Leonard from comment #221)
> I did what I hope was a fairly thorough test of the staff client and found
> these issues:
>
> - IntranetCirculationHomeHTML displays HTML tags as text

Done, specific patch for this pref.

> - Patron title include showing HTML:  <span
> class="patron-title">Mr&lt;/span&gt;

Done, see specific patch.

> - Patron details -> Holds tab: Alerts data from the branches table

Done, that was tricky and a part I forgot, we need to escape data using JS, see
String.prototype.escapeHtml

> - Search results page layout is broken. Looks like page-numbers.inc has a
> section missing.

Ooops, wrong merge conflict resolution.

> - Crazy encoding of action buttons on Lists page
> - Incorrectly escaped HTML in Notices & slips list

Both fixed now.

> - Label batch list title encoding wrong
> - Spine label print shows HTML

Fixed but follow-ups needed (TODO LATER)

> - Administration -> Libraries: Alerts data from the branches table

It comes from opac_info, which can contain html characters.
See admin/branches.tt: library.opac_info is not escaped (" | $raw")

> - Administration -> Item types: Alerts data from the items table

Same as before for itemtype.checkinmsg. I have added a patch for the missing
$raw filter to make it explicit.

> - Item searching broken: "Unsupported format html at
> /home/vagrant/kohaclone/catalogue/itemsearch.pl line 42."

Done, that was a hard one!

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/