[Bug 19911] New: Passwords displayed to user during self-registration are not HTML-encoded

classic Classic list List threaded Threaded
21 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] New: Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

            Bug ID: 19911
           Summary: Passwords displayed to user during self-registration
                    are not HTML-encoded
 Change sponsored?: ---
           Product: Koha
           Version: 17.11
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: OPAC
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]

Created attachment 70252
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70252&action=edit
Example of the generated password not displaying properly due to the less-than
character treated as opening HTML tag

If self-registration is enabled and the PatronSelfRegistrationPrefillForm
system preference is set to "Display and prefill," self-registered users are
shown their password upon successfully registering. If the password contains a
less-than character, browsers treat this as the beginning of an HTML element,
and so the less-than character and anything after it does not display since the
password is not HTML-encoded.

If Koha is set to generate passwords automatically during self-registration
(i.e., users are not allowed or required to enter a password in the
self-registration form), any generated password containing the less-than
character will not display correctly. Users who are expected to copy/save their
password at this time cannot do so, and there is no way to recover that
generated password.

Attached is a screenshot showing what I mean. A solution would to HTML-encode
the passwords when they are displayed as part of the self-registration process,
regardless of whether the user must verify their e-mail address first
(opac-registration-verify.pl).

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Arturo <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |major
                 CC|                            |[hidden email]-c
                   |                            |ommunity.org
            Version|17.11                       |master

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|[hidden email]         |[hidden email]-c
                   |                            |ommunity.org

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #1 from Jonathan Druart <[hidden email]> ---
Created attachment 70253
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70253&action=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #2 from Jonathan Druart <[hidden email]> ---
Created attachment 70271
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70271&action=edit
Bug 19911: Do not escape html characters when saving passwords

When the password is not generated automatically, we should not escape
the html characters. Otherwise it will be changed without any warnings.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #3 from Arturo <[hidden email]> ---
Thank you for the patches, Jonathan! I've tested this out on a sandbox and it
works great! There is only one issue that I found -- the <span> tag on line 45
of opac-registration-confirmation.tt is missing a closing </span> tag. Right
now both of the tags are opening tags, so it is causing an HTML validation
error.

Despite that, I was able to complete the detailed test plan below and found no
errors. These patches work both when e-mail verification is required and when
it is not. They also work when the user supplies a password and when it is
randomly generated by Koha. My full test plan is below.

These are the sample passwords I tested with:
<password>
<%20>
&nbsp;
&lt;password&gt;
<p></p>
<a href="#">link</a>
&#165;

Test plan:
1. Make sure a valid e-mail is stored in KohaAdminEmailAddress.
2. Set OpacPublic to Enable.
3. Set PatronSelfRegistration to Allow.
4. Be sure there is a valid patron category in
PatronSelfRegistrationDefaultCategory.
5. Set PatronSelfRegistrationBorrowerMandatoryField to include at least
"firstname|surname|email|password" so that these are required fields.
6. Set PatronSelfRegistrationPrefillForm to "Display and prefill" so that you
can see the password and have it prefilled.

To test when e-mail verification is NOT required:
1. Set PatronSelfRegistrationVerifyByEmail to "Don't require".
2. Go to the OPAC and fill out the self-registration form. Supply a password
that contains the less-than character.
3. Confirm that upon account creation, your password is correctly displayed on
the confirmation page.
4. Also confirm that you can log in to your account.

To test when e-mail verification IS required:
1. Be sure that OPACBaseUrl has a value since it is called by the
OPAC_REG_VERIFY e-mail template.
2. Set PatronSelfRegistrationVerifyByEmail to "Require."
3. Go to the OPAC and fill out the self-registration form. Supply a password
that contains the less-than character.
4. Follow the e-mail verification link created by Koha.
5. Confirm that upon account creation, your password is correctly displayed on
the confirmation page.
6. Also confirm that you can log in to your account.

To test when a password is generated randomly:
1. Remove "password" from the list of fields in
PatronSelfRegistrationBorrowerMandatoryField and repeat the two blocks of steps
above. Be sure that the randomly generated password contains a less-than
character and that it displays properly. Since these are generated randomly,
you may need to self-register multiple times until your generated password
contains this character.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #70253|0                           |1
        is obsolete|                            |

--- Comment #4 from Jonathan Druart <[hidden email]> ---
Created attachment 70289
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70289&action=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |19918

--- Comment #5 from Jonathan Druart <[hidden email]> ---
(In reply to Arturo from comment #3)
> Thank you for the patches, Jonathan! I've tested this out on a sandbox and
> it works great! There is only one issue that I found -- the <span> tag on
> line 45 of opac-registration-confirmation.tt is missing a closing </span>
> tag. Right now both of the tags are opening tags, so it is causing an HTML
> validation error.

Well spotted!
I have opened, filled and pushed bug 19918 to fix that.
And rebased the patch on top.


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19918
[Bug 19918] span tag not closed in opac-registration-confirmation.tt
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

[hidden email] <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
             Status|Needs Signoff               |Signed Off

--- Comment #6 from [hidden email] <[hidden email]> ---
Patch tested with a sandbox, by Arturo <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

[hidden email] <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #70271|0                           |1
        is obsolete|                            |

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

[hidden email] <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #70289|0                           |1
        is obsolete|                            |

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #7 from [hidden email] <[hidden email]> ---
Created attachment 70308
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70308&action=edit
Bug 19911: Do not escape html characters when saving passwords

When the password is not generated automatically, we should not escape
the html characters. Otherwise it will be changed without any warnings.

Signed-off-by: Arturo <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #8 from [hidden email] <[hidden email]> ---
Created attachment 70309
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70309&action=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

Signed-off-by: Arturo <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #9 from Arturo <[hidden email]> ---
Just tested again and it looks great to me. Thank you for your work on this,
Jonathan!

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
         QA Contact|[hidden email]-communit |[hidden email]
                   |y.org                       |

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #70308|0                           |1
        is obsolete|                            |

--- Comment #10 from Katrin Fischer <[hidden email]> ---
Created attachment 70445
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70445&action=edit
Bug 19911: Do not escape html characters when saving passwords

When the password is not generated automatically, we should not escape
the html characters. Otherwise it will be changed without any warnings.

Signed-off-by: Arturo <[hidden email]>

Signed-off-by: Katrin Fischer <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #70309|0                           |1
        is obsolete|                            |

--- Comment #11 from Katrin Fischer <[hidden email]> ---
Created attachment 70446
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70446&action=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

Signed-off-by: Arturo <[hidden email]>

Signed-off-by: Katrin Fischer <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Passed QA

--- Comment #12 from Katrin Fischer <[hidden email]> ---
Thx, Arturo, for documenting your tests and the sign-off!

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Passed QA                   |Pushed to Master

--- Comment #13 from Jonathan Druart <[hidden email]> ---
Pushed to master for 18.05, thanks to everybody involved!

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/