[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #256 from Nick Clemens  ---
*** Bug 20869 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #257 from Nick Clemens  ---
*** Bug 20870 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #255 from Nick Clemens  ---
*** Bug 20871 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #254 from Nick Clemens  ---
*** Bug 20872 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Nick Clemens  changed:

   What|Removed |Added

 CC||amitddng...@gmail.com

--- Comment #252 from Nick Clemens  ---
*** Bug 20874 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #253 from Nick Clemens  ---
*** Bug 20873 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Owen Leonard  changed:

   What|Removed |Added

 Blocks||21418


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21418
[Bug 21418] Incorrectly filtered markup in staff client lists
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #251 from Nick Clemens  ---
Created attachment 79404
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=79404&action=edit
Bug 13618: (follow-up) Pass opacuser_js from plugins as raw

We expect this field to contain script tags, html processing breaks them

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||21393


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21393
[Bug 21393] Make template filter checks code reusable
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||21347


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21347
[Bug 21347] bad code for input field in item information tab of addorderiso2709
page
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #250 from Marcel de Rooy  ---
Lesson pasted from bug 21293:

All occurrences of [% var = something | html %] are error prone. If something
is not a string, but an object, array, hash etc., we are in trouble.
This probably needs more attention since we are passing objects to templates in
more scripts.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #249 from Nick Clemens  ---
(In reply to Jonathan Druart from comment #248)
> Created attachment 78415 [details] [review]
> Bug 13618: Do not use html filters with KohaSpan
> 
> To recreate the issue:
> Go to Home › Administration › Library groups
> Create a new group
>  "Group xxx created."
> 
> Signed-off-by: Jonathan Druart 

Followup pushed to master

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #248 from Jonathan Druart  
---
Created attachment 78415
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=78415&action=edit
Bug 13618: Do not use html filters with KohaSpan

To recreate the issue:
Go to Home › Administration › Library groups
Create a new group
 "Group xxx created."

Signed-off-by: Jonathan Druart 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Owen Leonard  changed:

   What|Removed |Added

 Blocks||21293


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21293
[Bug 21293] Display of housebound delivery information broken by Bug 13618
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #247 from Nick Clemens  ---
(In reply to Jonathan Druart from comment #245)
> Created attachment 78274 [details] [review]
> Bug 13618: (follow-up) Add html filters to all the variables

Followup pushed to master

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||21279


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21279
[Bug 21279] Transport cost matrix shows html entity in all empty cells
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #246 from Jonathan Druart  
---
Thanks Ere for reporting it!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #245 from Jonathan Druart  
---
Created attachment 78274
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=78274&action=edit
Bug 13618: (follow-up) Add html filters to all the variables

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Ere Maijala  changed:

   What|Removed |Added

 CC||ere.maij...@helsinki.fi

--- Comment #244 from Ere Maijala  ---
Looks like escaping was added also to places where it doesn't belong. The
examples I stumbled on were just setting a variable:

https://github.com/Koha-Community/Koha/blob/master/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt#L328

and 

https://github.com/Koha-Community/Koha/blob/master/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt#L330

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #243 from Nick Clemens  ---
(In reply to Jonathan Druart from comment #242)
> Created attachment 78158 [details] [review]
> Bug 13618: (follow-up) Manually replace missing .raw
> 
> Must be |$raw, not |raw
> 
> Error:
> Template process failed: undef error - raw: filter not found at
> /home/vagrant/kohaclone/C4/Templates.pm line 122
> 
> To recreate:
> Add a new restriction and visit circulation.pl?borrowernumber=42

Followup pushed to master

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #242 from Jonathan Druart  
---
Created attachment 78158
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=78158&action=edit
Bug 13618: (follow-up) Manually replace missing .raw

Must be |$raw, not |raw

Error:
Template process failed: undef error - raw: filter not found at
/home/vagrant/kohaclone/C4/Templates.pm line 122

To recreate:
Add a new restriction and visit circulation.pl?borrowernumber=42

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Nick Clemens  changed:

   What|Removed |Added

 Blocks||21257


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21257
[Bug 21257] Patrons checkout table throws JS error when location/collection not
defined
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #241 from Jonathan Druart  
---
Coding guidelines:
https://wiki.koha-community.org/wiki/Coding_Guidelines#HTML9:_filter_all_the_variables

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #240 from Nick Clemens  ---
(In reply to Jonathan Druart from comment #239)
> Created attachment 77998 [details] [review]
> Bug 13618: Fix xt/tt_valid.t
> 
> We are going to say it quietly but this test does not catch the problem
> when there are no spacess
> 
> Signed-off-by: Jonathan Druart 

Followup pushed to master

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #77997|0   |1
is obsolete||

--- Comment #239 from Jonathan Druart  
---
Created attachment 77998
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77998&action=edit
Bug 13618: Fix xt/tt_valid.t

We are going to say it quietly but this test does not catch the problem
when there are no spacess

Signed-off-by: Jonathan Druart 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #238 from Jonathan Druart  
---
Created attachment 77997
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77997&action=edit
Bug 13618: Remove filter when assigning array

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Nick Clemens  changed:

   What|Removed |Added

 CC||n...@bywatersolutions.com
 Status|Passed QA   |Pushed to Master

--- Comment #237 from Nick Clemens  ---
Awesome work all, special thanks to Jonathan for working on this one for so
long and to everyone who helped along the way.

Pushed to master for 18.11

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #236 from Jonathan Druart  
---
Created attachment 77809
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77809&action=edit
patches_to_be_pushed.tar.gz

For reference.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

   Keywords|dependency  |

--- Comment #235 from Jonathan Druart  
---
The two patches used to build this patchset and test it have been attached to
this bug report.

Others are not as the first one is too big (413 Request Entity Too Large).
Martin's Signed-off-by lines have been added to my remove branch and the "DO
NOT PUSH" patches removed.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|Needs Signoff   |Signed Off

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #234 from Jonathan Druart  
---
Created attachment 77808
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77808&action=edit
Bug 13618: [DO NOT PUSH] Add script to add the html filters

Usage: perl add_html_filters.pl **/*.inc **/*.tt
It also takes --test for debugging

Then:
git grep Asset|grep -v USE | grep -v '| $raw'
=> We should deal with them on a separate commit

Signed-off-by: Owen Leonard 

Signed-off-by: Martin Renvoize 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #77806|0   |1
is obsolete||

--- Comment #233 from Jonathan Druart  
---
Created attachment 77807
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77807&action=edit
Bug 13618: [DO NOT PUSH] have fun

In order to generate quickly a lot of relevant data I have modified a
bit TestBuilder->_gen_text to insert 

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #232 from Martin Renvoize  ---
I was going to upload the patches for you Nick, but it turns out some of them
are too large for bugzilla so Jonathan is adding my signoff lines to his
tracking branch on gitlab ;)

Note, bug 15717 is rolled into this branch patchset.. it all checks out too ;)

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #77805|0   |1
is obsolete||

--- Comment #231 from Jonathan Druart  
---
Created attachment 77806
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77806&action=edit
Bug 13618: [DO NOT PUSH] have fun

In order to generate quickly a lot of relevant data I have modified a
bit TestBuilder->_gen_text to insert 

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|Passed QA   |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Martin Renvoize  changed:

   What|Removed |Added

  Attachment #77804|0   |1
is obsolete||

--- Comment #230 from Martin Renvoize  ---
Created attachment 77805
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77805&action=edit
Bug 13618: [DO NOT PUSH] have fun

In order to generate quickly a lot of relevant data I have modified a
bit TestBuilder->_gen_text to insert 

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #229 from Martin Renvoize  ---
Created attachment 77804
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77804&action=edit
Bug 13618: [DO NOT PUSH] have fun

In order to generate quickly a lot of relevant data I have modified a
bit TestBuilder->_gen_text to insert 

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Martin Renvoize  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

--- Comment #228 from Martin Renvoize  ---
I've spent a few hours with this one this evening...

The QA script raises a few warnings, but I think they're false positives or
pre-existing issues in all cases at this point.

I'm sure there will be issues with a patchset of this magnitude, but I am
confident we will correct them before release and that they would not be caught
at this point by delaying any further.

**
Passing QA
**

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #227 from Jonathan Druart  
---
(In reply to Owen Leonard from comment #226)
> I have tested this to the best of my ability and found it to be working!
> 
> 
> ** Signed off **
> 

Signed-off-by lines added to the remote branch, thanks for testing!

I also have rebased the remote branch against master.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Owen Leonard  changed:

   What|Removed |Added

 Status|Needs Signoff   |Signed Off

--- Comment #226 from Owen Leonard  ---
I have tested this to the best of my ability and found it to be working!


** Signed off **


-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|Failed QA   |Needs Signoff

--- Comment #225 from Jonathan Druart  
---
(In reply to Owen Leonard from comment #224)
> Found two more issues:
> 
> - The branches table is alerting something on ILL requests -> New request

This comes from ILL backends (not in Koha).

> - IntranetUserJS incorrectly outputs encoded HTML entities

Fixed in a new patch.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Owen Leonard  changed:

   What|Removed |Added

 Status|Needs Signoff   |Failed QA

--- Comment #224 from Owen Leonard  ---
Found two more issues:

- The branches table is alerting something on ILL requests -> New request
- IntranetUserJS incorrectly outputs encoded HTML entities

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|Failed QA   |Needs Signoff

--- Comment #222 from Jonathan Druart  
---
(In reply to Owen Leonard from comment #221)
> I did what I hope was a fairly thorough test of the staff client and found
> these issues:
> 
> - IntranetCirculationHomeHTML displays HTML tags as text

Done, specific patch for this pref.

> - Patron title include showing HTML:   class="patron-title">Mr

Done, see specific patch.

> - Patron details -> Holds tab: Alerts data from the branches table

Done, that was tricky and a part I forgot, we need to escape data using JS, see
String.prototype.escapeHtml

> - Search results page layout is broken. Looks like page-numbers.inc has a
> section missing.

Ooops, wrong merge conflict resolution.

> - Crazy encoding of action buttons on Lists page
> - Incorrectly escaped HTML in Notices & slips list

Both fixed now.

> - Label batch list title encoding wrong
> - Spine label print shows HTML

Fixed but follow-ups needed (TODO LATER)

> - Administration -> Libraries: Alerts data from the branches table

It comes from opac_info, which can contain html characters.
See admin/branches.tt: library.opac_info is not escaped (" | $raw")

> - Administration -> Item types: Alerts data from the items table

Same as before for itemtype.checkinmsg. I have added a patch for the missing
$raw filter to make it explicit.

> - Item searching broken: "Unsupported format html at
> /home/vagrant/kohaclone/catalogue/itemsearch.pl line 42."

Done, that was a hard one!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Owen Leonard  changed:

   What|Removed |Added

 Status|Needs Signoff   |Failed QA

--- Comment #221 from Owen Leonard  ---
I did what I hope was a fairly thorough test of the staff client and found
these issues:

- IntranetCirculationHomeHTML displays HTML tags as text
- Patron title include showing HTML:  Mr
- Patron details -> Holds tab: Alerts data from the branches table
- Search results page layout is broken. Looks like page-numbers.inc has a
section missing.
- Crazy encoding of action buttons on Lists page
- Incorrectly escaped HTML in Notices & slips list
- Label batch list title encoding wrong
- Spine label print shows HTML
- Administration -> Libraries: Alerts data from the branches table
- Administration -> Item types: Alerts data from the items table
- Item searching broken: "Unsupported format html at
/home/vagrant/kohaclone/catalogue/itemsearch.pl line 42."

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #220 from Martin Renvoize  ---
Looks to be going along the right lines to me, I like the approach and can see
it leading to a much better base to start with.

Maintaining it going forward is the next challenge.. hopefully some carefully
placed git hooks could help there, or adding some logic to the qa script to try
and catch them?

I've also often wondered about having a community arachni server (or some other
automated penetration testing system) setup and hitting a clone of master
regularly... think I've brought that idea up before but didn't have the time to
pursue it.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #219 from Jonathan Druart  
---
I am back!

Next version has been pushed to the remote branch -
https://gitlab.com/joubu/Koha/commits/bug_13618

Here is commit message of the main patch:

As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain 

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #218 from Jonathan Druart  
---
(In reply to Jonathan Druart from comment #217)
> Patches have been rebased, adjusted for master and push to
> https://gitlab.com/joubu/Koha/tree/bug_13618
> 
> They do not deal with performance issues but are ready to be tested (to
> catch missing .raw)

No need to test if we do not have a solution on bug 20975.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||20975


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20975
[Bug 20975] Improve auto escaping performance
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #59983|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #59987|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #59984|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

URL|https://github.com/joubu/Ko |https://gitlab.com/joubu/Ko
   |ha/tree/bug_13618   |ha/tree/bug_13618
 Status|ASSIGNED|Needs Signoff

--- Comment #217 from Jonathan Druart  
---
Patches have been rebased, adjusted for master and push to
https://gitlab.com/joubu/Koha/tree/bug_13618

They do not deal with performance issues but are ready to be tested (to catch
missing .raw)

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks|15771   |
   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=15771


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15771
[Bug 15771] CGI::escapeHTML should not be used anymore
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

George Williams (NEKLS)  changed:

   What|Removed |Added

 CC|gwilli...@nekls.org |geo...@nekls.org

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

DEVINIM  changed:

   What|Removed |Added

 CC||kohadevi...@devinim.com.tr

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=19121

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|Needs Signoff   |ASSIGNED

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #47631|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #45785|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #45784|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #216 from Jonathan Druart  
---
Fun is coming back guys \o/

It seems that I get rid of the performance problem, see the second patch.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #215 from Jonathan Druart  
---
Created attachment 59987
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59987&action=edit
Bug 13618: Specific for branches.opac_info

Forgot this one when I squashed the others.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #214 from Jonathan Druart  
---
Created attachment 59984
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59984&action=edit
Bug 13618: Use a simplified version of Template::Stash::AutoEscaping

Koha::Template::Escape is a simple version of Template::Stash::AutoEscaping
It seems that removing and cleanly some pieces of Template::Stash::AutoEscaping
will bring us a lot of performance boost.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #47425|0   |1
is obsolete||
  Attachment #47426|0   |1
is obsolete||
  Attachment #47427|0   |1
is obsolete||
  Attachment #47428|0   |1
is obsolete||
  Attachment #47429|0   |1
is obsolete||
  Attachment #47430|0   |1
is obsolete||
  Attachment #47431|0   |1
is obsolete||
  Attachment #47432|0   |1
is obsolete||
  Attachment #47433|0   |1
is obsolete||
  Attachment #47434|0   |1
is obsolete||
  Attachment #47435|0   |1
is obsolete||
  Attachment #47436|0   |1
is obsolete||
  Attachment #47437|0   |1
is obsolete||
  Attachment #47438|0   |1
is obsolete||
  Attachment #47439|0   |1
is obsolete||
  Attachment #47440|0   |1
is obsolete||
  Attachment #47441|0   |1
is obsolete||
  Attachment #47442|0   |1
is obsolete||
  Attachment #47443|0   |1
is obsolete||
  Attachment #47444|0   |1
is obsolete||
  Attachment #47445|0   |1
is obsolete||
  Attachment #47446|0   |1
is obsolete||
  Attachment #47447|0   |1
is obsolete||
  Attachment #47448|0   |1
is obsolete||
  Attachment #47449|0   |1
is obsolete||
  Attachment #47450|0   |1
is obsolete||
  Attachment #47451|0   |1
is obsolete||
  Attachment #47452|0   |1
is obsolete||

--- Comment #213 from Jonathan Druart  
---
Created attachment 59983
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59983&action=edit
Bug 13618: Use Template::Stash::AutoEscaping to use the html filter

Test plan:
0/ sudo cpanm Template::Stash::AutoEscaping
1/ Verify don't reproduce the XSS issue described on bug 13609 and other
xss related bugs.
2/ Try to find some encoding issues (detail page, search results,
facets, etc.)

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Bug 13618: Remove html filters at the OPAC

This patch removes the html filters at the OPAC, if necessary.

Generated with:
  perl -p -i -e 's/\ ?\|\ ?html(\ ?)%/\1%/g' **/*.tt **/*.inc

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Bug 13618: Specific places where we don't need to escape variables

There is no need to escape the html generated by the XSLT.

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Bug 13618: Remove html filters at the intranet

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Bug 13618: Specific places where we don't need to escape variables - intra

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Bug 13618: Specific for pagination_bar

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Bug 13618: Specific for the ISBD view

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Bug 13618: Fix error 'Not a GLOB reference'

The interpolation of a variable on including a file caused an unexpected
error:
Template process failed: undef error - Not a GLOB reference at
/usr/lib/i386-linux-gnu/perl5/5.20/Template/Provider.pm line 619.

The easier fix is to replace it with a SWITCH.

Signed-off-by: Signed-off-by: Joonas Kylmälä 

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|BLOCKED |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Martin Renvoize  changed:

   What|Removed |Added

 CC||martin.renvoize@ptfs-europe
   ||.com

--- Comment #212 from Martin Renvoize  ---
The approach here is correct in my opinion.. we should treat everything as
unsafe and thus escape it by default unless we've manually checked it and
marked as safe.

Yes, this will impact performance at first and highlight some especially nasty
areas of koha. We should use those highlights as a hitlist of areas to
concentrate on a) checking security and marking as safe when possible and b)
refactoring templates to more sparsely use variables when possible.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks|14568   |

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #211 from Jonathan Druart  
---
See bug 15715 for the cause of the revert.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Brendan Gallagher  changed:

   What|Removed |Added

 Status|Pushed to Master|BLOCKED

--- Comment #210 from Brendan Gallagher  ---
Reverted from master.  Making Status as Blocked.  Jonathan please choose the
status you'd prefer for this bug.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=15715

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||15771


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15771
[Bug 15771] CGI::escapeHTML should not be used anymore
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #209 from Katrin Fischer  ---
Thx Julian!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #208 from Julian Maurice  ---
Package accepted into Debian unstable:
https://packages.debian.org/sid/libtemplate-stash-autoescaping-perl

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||15754


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15754
[Bug 15754] html tags displayed when editing frameworks
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||15734


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15734
[Bug 15734] Audio Alerts broken
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||15733


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15733
[Bug 15733] Audio Alerts issues in master
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Mirko Tietgen  changed:

   What|Removed |Added

 CC||mi...@abunchofthings.net

--- Comment #207 from Mirko Tietgen  ---
Created attachment 47631
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47631&action=edit
libtemplate-stash-autoescaping-perl_0.0303-1_all.deb

I built a package in Jessie, maybe it is useful for others too. It's attached.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #206 from Marcel de Rooy  ---
(In reply to Julian Maurice from comment #205)
> I started packaging this module.
> ITP bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813574
> Git repo:
> https://anonscm.debian.org/cgit/pkg-perl/packages/libtemplate-stash-
> autoescaping-perl.git/

Great! Thx

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Julian Maurice  changed:

   What|Removed |Added

 CC||julian.maur...@biblibre.com

--- Comment #205 from Julian Maurice  ---
(In reply to Marcel de Rooy from comment #203)
> Note that this still needs attention in terms of (Debian) packaging.
> At first glance this module does not seem to be available in a Debian
> package.

I started packaging this module.
ITP bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813574
Git repo:
https://anonscm.debian.org/cgit/pkg-perl/packages/libtemplate-stash-autoescaping-perl.git/

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Blocks||15717


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15717
[Bug 15717] Installer: Step 3 has  showing
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

--- Comment #204 from Jonathan Druart  
---
New test added to the QA script:

commit a9ddabb936a0a1539d01992908b3e6484b6d6466
The html filter is not needed anymore (see bug 13618)

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Marcel de Rooy  changed:

   What|Removed |Added

 CC||m.de.r...@rijksmuseum.nl

--- Comment #203 from Marcel de Rooy  ---
Great work!

Detail for patch: Use Template::Stash::AutoEscaping to use the html filter

Note that this still needs attention in terms of (Debian) packaging.
At first glance this module does not seem to be available in a Debian package.
Obviously, new perl dependencies should preferably be available already.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Brendan Gallagher  changed:

   What|Removed |Added

 Status|Passed QA   |Pushed to Master

--- Comment #202 from Brendan Gallagher  ---
Pushed to Master - Should be in the May 2016 Release.  Thanks!  (we'll probably
have some more spots to work on this).  Great job though!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Brendan Gallagher  changed:

   What|Removed |Added

 CC||bren...@bywatersolutions.co
   ||m

--- Comment #201 from Brendan Gallagher  ---
(In reply to Jonathan Druart from comment #200)
> @RM: please don't squash these patches, it will be helpful to have the
> history if a regression if found later.

Will not squash :)

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

 Status|Patch doesn't apply |Passed QA

--- Comment #200 from Jonathan Druart  
---
@RM: please don't squash these patches, it will be helpful to have the history
if a regression if found later.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46819|0   |1
is obsolete||

--- Comment #196 from Jonathan Druart  
---
Created attachment 47449
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47449&action=edit
Bug 13618: Do not display html tags in patron's notices

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46821|0   |1
is obsolete||

--- Comment #198 from Jonathan Druart  
---
Created attachment 47451
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47451&action=edit
Bug 13618: (follow-up) Specific for other prefs

follow-up for SlipCSS and printslip

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46820|0   |1
is obsolete||

--- Comment #197 from Jonathan Druart  
---
Created attachment 47450
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47450&action=edit
Bug 13618: Fix for debarredcomment and patron messages

At the OPAC and intranet.

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46818|0   |1
is obsolete||

--- Comment #195 from Jonathan Druart  
---
Created attachment 47448
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47448&action=edit
Bug 13618: Do not display   and html tags in item fields content

Note that there might be other occurrences to fix!

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46822|0   |1
is obsolete||

--- Comment #199 from Jonathan Druart  
---
Created attachment 47452
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47452&action=edit
Bug 13618: Specific for branches.opac_info

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46812|0   |1
is obsolete||

--- Comment #189 from Jonathan Druart  
---
Created attachment 47442
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47442&action=edit
Bug 13618: followup to remove tabs

Signed-off-by: Bernardo Gonzalez Kriegel 
This followup on top of remote branch
Only remove tabs and trailing spaces to make koha-qa pass

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46815|0   |1
is obsolete||

--- Comment #192 from Jonathan Druart  
---
Created attachment 47445
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47445&action=edit
Bug 13618: (follow-up) add missing lines for opac-shelves

Proposed patch to fix opac-shelves

Signed-off-by: Jonathan Druart 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46817|0   |1
is obsolete||

--- Comment #194 from Jonathan Druart  
---
Created attachment 47447
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47447&action=edit
Bug 13618: Fix for system preference description

If a syspref description contains html tag, do not display them

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46813|0   |1
is obsolete||

--- Comment #190 from Jonathan Druart  
---
Created attachment 47443
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47443&action=edit
Bug 13618: Fix for edit biblios and items

On editing biblios or items, the marc_lib, marc_value and javascript
values are often populated with html code which needs to be displayed
raw.

Signed-off-by: Bernardo Gonzalez Kriegel 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46808|0   |1
is obsolete||

--- Comment #185 from Jonathan Druart  
---
Created attachment 47438
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47438&action=edit
Bug 13618: Specific for XSLTBloc

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46816|0   |1
is obsolete||

--- Comment #193 from Jonathan Druart  
---
Created attachment 47446
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47446&action=edit
Bug 13618: Remove html filters for newly pushed code

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46809|0   |1
is obsolete||

--- Comment #186 from Jonathan Druart  
---
Created attachment 47439
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47439&action=edit
Bug 13618: Fix escape on sending baskets or shelves by email

Test plan:
Send baskets and shelves by email.
With or without this patch, you should not see any changes.

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46810|0   |1
is obsolete||

--- Comment #187 from Jonathan Druart  
---
Created attachment 47440
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47440&action=edit
Bug 13618: Fix for news

Signed-off-by: Signed-off-by: Joonas Kylmälä 

Signed-off-by: Bernardo Gonzalez Kriegel 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #46814|0   |1
is obsolete||

--- Comment #191 from Jonathan Druart  
---
Created attachment 47444
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47444&action=edit
Bug 13618: (follow-up) Specific for ColumnsSettings

Signed-off-by: Bernardo Gonzalez Kriegel 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/