[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #256 from Nick Clemens --- *** Bug 20869 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #257 from Nick Clemens --- *** Bug 20870 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #255 from Nick Clemens --- *** Bug 20871 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #254 from Nick Clemens --- *** Bug 20872 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Nick Clemens changed: What|Removed |Added CC||amitddng...@gmail.com --- Comment #252 from Nick Clemens --- *** Bug 20874 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #253 from Nick Clemens --- *** Bug 20873 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Owen Leonard changed: What|Removed |Added Blocks||21418 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21418 [Bug 21418] Incorrectly filtered markup in staff client lists -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #251 from Nick Clemens --- Created attachment 79404 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=79404&action=edit Bug 13618: (follow-up) Pass opacuser_js from plugins as raw We expect this field to contain script tags, html processing breaks them -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||21393 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21393 [Bug 21393] Make template filter checks code reusable -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||21347 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21347 [Bug 21347] bad code for input field in item information tab of addorderiso2709 page -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #250 from Marcel de Rooy --- Lesson pasted from bug 21293: All occurrences of [% var = something | html %] are error prone. If something is not a string, but an object, array, hash etc., we are in trouble. This probably needs more attention since we are passing objects to templates in more scripts. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #249 from Nick Clemens --- (In reply to Jonathan Druart from comment #248) > Created attachment 78415 [details] [review] > Bug 13618: Do not use html filters with KohaSpan > > To recreate the issue: > Go to Home › Administration › Library groups > Create a new group > "Group xxx created." > > Signed-off-by: Jonathan Druart Followup pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #248 from Jonathan Druart --- Created attachment 78415 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=78415&action=edit Bug 13618: Do not use html filters with KohaSpan To recreate the issue: Go to Home › Administration › Library groups Create a new group "Group xxx created." Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Owen Leonard changed: What|Removed |Added Blocks||21293 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21293 [Bug 21293] Display of housebound delivery information broken by Bug 13618 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #247 from Nick Clemens --- (In reply to Jonathan Druart from comment #245) > Created attachment 78274 [details] [review] > Bug 13618: (follow-up) Add html filters to all the variables Followup pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||21279 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21279 [Bug 21279] Transport cost matrix shows html entity in all empty cells -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #246 from Jonathan Druart --- Thanks Ere for reporting it! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #245 from Jonathan Druart --- Created attachment 78274 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=78274&action=edit Bug 13618: (follow-up) Add html filters to all the variables -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Ere Maijala changed: What|Removed |Added CC||ere.maij...@helsinki.fi --- Comment #244 from Ere Maijala --- Looks like escaping was added also to places where it doesn't belong. The examples I stumbled on were just setting a variable: https://github.com/Koha-Community/Koha/blob/master/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt#L328 and https://github.com/Koha-Community/Koha/blob/master/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt#L330 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #243 from Nick Clemens --- (In reply to Jonathan Druart from comment #242) > Created attachment 78158 [details] [review] > Bug 13618: (follow-up) Manually replace missing .raw > > Must be |$raw, not |raw > > Error: > Template process failed: undef error - raw: filter not found at > /home/vagrant/kohaclone/C4/Templates.pm line 122 > > To recreate: > Add a new restriction and visit circulation.pl?borrowernumber=42 Followup pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #242 from Jonathan Druart --- Created attachment 78158 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=78158&action=edit Bug 13618: (follow-up) Manually replace missing .raw Must be |$raw, not |raw Error: Template process failed: undef error - raw: filter not found at /home/vagrant/kohaclone/C4/Templates.pm line 122 To recreate: Add a new restriction and visit circulation.pl?borrowernumber=42 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Nick Clemens changed: What|Removed |Added Blocks||21257 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21257 [Bug 21257] Patrons checkout table throws JS error when location/collection not defined -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #241 from Jonathan Druart --- Coding guidelines: https://wiki.koha-community.org/wiki/Coding_Guidelines#HTML9:_filter_all_the_variables -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #240 from Nick Clemens --- (In reply to Jonathan Druart from comment #239) > Created attachment 77998 [details] [review] > Bug 13618: Fix xt/tt_valid.t > > We are going to say it quietly but this test does not catch the problem > when there are no spacess > > Signed-off-by: Jonathan Druart Followup pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #77997|0 |1 is obsolete|| --- Comment #239 from Jonathan Druart --- Created attachment 77998 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77998&action=edit Bug 13618: Fix xt/tt_valid.t We are going to say it quietly but this test does not catch the problem when there are no spacess Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #238 from Jonathan Druart --- Created attachment 77997 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77997&action=edit Bug 13618: Remove filter when assigning array -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Nick Clemens changed: What|Removed |Added CC||n...@bywatersolutions.com Status|Passed QA |Pushed to Master --- Comment #237 from Nick Clemens --- Awesome work all, special thanks to Jonathan for working on this one for so long and to everyone who helped along the way. Pushed to master for 18.11 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #236 from Jonathan Druart --- Created attachment 77809 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77809&action=edit patches_to_be_pushed.tar.gz For reference. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Keywords|dependency | --- Comment #235 from Jonathan Druart --- The two patches used to build this patchset and test it have been attached to this bug report. Others are not as the first one is too big (413 Request Entity Too Large). Martin's Signed-off-by lines have been added to my remove branch and the "DO NOT PUSH" patches removed. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #234 from Jonathan Druart --- Created attachment 77808 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77808&action=edit Bug 13618: [DO NOT PUSH] Add script to add the html filters Usage: perl add_html_filters.pl **/*.inc **/*.tt It also takes --test for debugging Then: git grep Asset|grep -v USE | grep -v '| $raw' => We should deal with them on a separate commit Signed-off-by: Owen Leonard Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #77806|0 |1 is obsolete|| --- Comment #233 from Jonathan Druart --- Created attachment 77807 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77807&action=edit Bug 13618: [DO NOT PUSH] have fun In order to generate quickly a lot of relevant data I have modified a bit TestBuilder->_gen_text to insert
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #232 from Martin Renvoize --- I was going to upload the patches for you Nick, but it turns out some of them are too large for bugzilla so Jonathan is adding my signoff lines to his tracking branch on gitlab ;) Note, bug 15717 is rolled into this branch patchset.. it all checks out too ;) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #77805|0 |1 is obsolete|| --- Comment #231 from Jonathan Druart --- Created attachment 77806 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77806&action=edit Bug 13618: [DO NOT PUSH] have fun In order to generate quickly a lot of relevant data I have modified a bit TestBuilder->_gen_text to insert
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|Passed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Martin Renvoize changed: What|Removed |Added Attachment #77804|0 |1 is obsolete|| --- Comment #230 from Martin Renvoize --- Created attachment 77805 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77805&action=edit Bug 13618: [DO NOT PUSH] have fun In order to generate quickly a lot of relevant data I have modified a bit TestBuilder->_gen_text to insert
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #229 from Martin Renvoize --- Created attachment 77804 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=77804&action=edit Bug 13618: [DO NOT PUSH] have fun In order to generate quickly a lot of relevant data I have modified a bit TestBuilder->_gen_text to insert
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Martin Renvoize changed: What|Removed |Added Status|Signed Off |Passed QA --- Comment #228 from Martin Renvoize --- I've spent a few hours with this one this evening... The QA script raises a few warnings, but I think they're false positives or pre-existing issues in all cases at this point. I'm sure there will be issues with a patchset of this magnitude, but I am confident we will correct them before release and that they would not be caught at this point by delaying any further. ** Passing QA ** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #227 from Jonathan Druart --- (In reply to Owen Leonard from comment #226) > I have tested this to the best of my ability and found it to be working! > > > ** Signed off ** > Signed-off-by lines added to the remote branch, thanks for testing! I also have rebased the remote branch against master. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Owen Leonard changed: What|Removed |Added Status|Needs Signoff |Signed Off --- Comment #226 from Owen Leonard --- I have tested this to the best of my ability and found it to be working! ** Signed off ** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|Failed QA |Needs Signoff --- Comment #225 from Jonathan Druart --- (In reply to Owen Leonard from comment #224) > Found two more issues: > > - The branches table is alerting something on ILL requests -> New request This comes from ILL backends (not in Koha). > - IntranetUserJS incorrectly outputs encoded HTML entities Fixed in a new patch. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Owen Leonard changed: What|Removed |Added Status|Needs Signoff |Failed QA --- Comment #224 from Owen Leonard --- Found two more issues: - The branches table is alerting something on ILL requests -> New request - IntranetUserJS incorrectly outputs encoded HTML entities -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|Failed QA |Needs Signoff --- Comment #222 from Jonathan Druart --- (In reply to Owen Leonard from comment #221) > I did what I hope was a fairly thorough test of the staff client and found > these issues: > > - IntranetCirculationHomeHTML displays HTML tags as text Done, specific patch for this pref. > - Patron title include showing HTML: class="patron-title">MrDone, see specific patch. > - Patron details -> Holds tab: Alerts data from the branches table Done, that was tricky and a part I forgot, we need to escape data using JS, see String.prototype.escapeHtml > - Search results page layout is broken. Looks like page-numbers.inc has a > section missing. Ooops, wrong merge conflict resolution. > - Crazy encoding of action buttons on Lists page > - Incorrectly escaped HTML in Notices & slips list Both fixed now. > - Label batch list title encoding wrong > - Spine label print shows HTML Fixed but follow-ups needed (TODO LATER) > - Administration -> Libraries: Alerts data from the branches table It comes from opac_info, which can contain html characters. See admin/branches.tt: library.opac_info is not escaped (" | $raw") > - Administration -> Item types: Alerts data from the items table Same as before for itemtype.checkinmsg. I have added a patch for the missing $raw filter to make it explicit. > - Item searching broken: "Unsupported format html at > /home/vagrant/kohaclone/catalogue/itemsearch.pl line 42." Done, that was a hard one! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Owen Leonard changed: What|Removed |Added Status|Needs Signoff |Failed QA --- Comment #221 from Owen Leonard --- I did what I hope was a fairly thorough test of the staff client and found these issues: - IntranetCirculationHomeHTML displays HTML tags as text - Patron title include showing HTML: Mr- Patron details -> Holds tab: Alerts data from the branches table - Search results page layout is broken. Looks like page-numbers.inc has a section missing. - Crazy encoding of action buttons on Lists page - Incorrectly escaped HTML in Notices & slips list - Label batch list title encoding wrong - Spine label print shows HTML - Administration -> Libraries: Alerts data from the branches table - Administration -> Item types: Alerts data from the items table - Item searching broken: "Unsupported format html at /home/vagrant/kohaclone/catalogue/itemsearch.pl line 42." -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #220 from Martin Renvoize --- Looks to be going along the right lines to me, I like the approach and can see it leading to a much better base to start with. Maintaining it going forward is the next challenge.. hopefully some carefully placed git hooks could help there, or adding some logic to the qa script to try and catch them? I've also often wondered about having a community arachni server (or some other automated penetration testing system) setup and hitting a clone of master regularly... think I've brought that idea up before but didn't have the time to pursue it. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #219 from Jonathan Druart --- I am back! Next version has been pushed to the remote branch - https://gitlab.com/joubu/Koha/commits/bug_13618 Here is commit message of the main patch: As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #218 from Jonathan Druart --- (In reply to Jonathan Druart from comment #217) > Patches have been rebased, adjusted for master and push to > https://gitlab.com/joubu/Koha/tree/bug_13618 > > They do not deal with performance issues but are ready to be tested (to > catch missing .raw) No need to test if we do not have a solution on bug 20975. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||20975 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20975 [Bug 20975] Improve auto escaping performance -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #59983|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #59987|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #59984|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added URL|https://github.com/joubu/Ko |https://gitlab.com/joubu/Ko |ha/tree/bug_13618 |ha/tree/bug_13618 Status|ASSIGNED|Needs Signoff --- Comment #217 from Jonathan Druart --- Patches have been rebased, adjusted for master and push to https://gitlab.com/joubu/Koha/tree/bug_13618 They do not deal with performance issues but are ready to be tested (to catch missing .raw) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks|15771 | See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=15771 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15771 [Bug 15771] CGI::escapeHTML should not be used anymore -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 George Williams (NEKLS) changed: What|Removed |Added CC|gwilli...@nekls.org |geo...@nekls.org -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 DEVINIM changed: What|Removed |Added CC||kohadevi...@devinim.com.tr -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=19121 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|Needs Signoff |ASSIGNED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #47631|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #45785|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #45784|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #216 from Jonathan Druart --- Fun is coming back guys \o/ It seems that I get rid of the performance problem, see the second patch. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #215 from Jonathan Druart --- Created attachment 59987 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59987&action=edit Bug 13618: Specific for branches.opac_info Forgot this one when I squashed the others. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #214 from Jonathan Druart --- Created attachment 59984 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59984&action=edit Bug 13618: Use a simplified version of Template::Stash::AutoEscaping Koha::Template::Escape is a simple version of Template::Stash::AutoEscaping It seems that removing and cleanly some pieces of Template::Stash::AutoEscaping will bring us a lot of performance boost. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #47425|0 |1 is obsolete|| Attachment #47426|0 |1 is obsolete|| Attachment #47427|0 |1 is obsolete|| Attachment #47428|0 |1 is obsolete|| Attachment #47429|0 |1 is obsolete|| Attachment #47430|0 |1 is obsolete|| Attachment #47431|0 |1 is obsolete|| Attachment #47432|0 |1 is obsolete|| Attachment #47433|0 |1 is obsolete|| Attachment #47434|0 |1 is obsolete|| Attachment #47435|0 |1 is obsolete|| Attachment #47436|0 |1 is obsolete|| Attachment #47437|0 |1 is obsolete|| Attachment #47438|0 |1 is obsolete|| Attachment #47439|0 |1 is obsolete|| Attachment #47440|0 |1 is obsolete|| Attachment #47441|0 |1 is obsolete|| Attachment #47442|0 |1 is obsolete|| Attachment #47443|0 |1 is obsolete|| Attachment #47444|0 |1 is obsolete|| Attachment #47445|0 |1 is obsolete|| Attachment #47446|0 |1 is obsolete|| Attachment #47447|0 |1 is obsolete|| Attachment #47448|0 |1 is obsolete|| Attachment #47449|0 |1 is obsolete|| Attachment #47450|0 |1 is obsolete|| Attachment #47451|0 |1 is obsolete|| Attachment #47452|0 |1 is obsolete|| --- Comment #213 from Jonathan Druart --- Created attachment 59983 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59983&action=edit Bug 13618: Use Template::Stash::AutoEscaping to use the html filter Test plan: 0/ sudo cpanm Template::Stash::AutoEscaping 1/ Verify don't reproduce the XSS issue described on bug 13609 and other xss related bugs. 2/ Try to find some encoding issues (detail page, search results, facets, etc.) Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Bug 13618: Remove html filters at the OPAC This patch removes the html filters at the OPAC, if necessary. Generated with: perl -p -i -e 's/\ ?\|\ ?html(\ ?)%/\1%/g' **/*.tt **/*.inc Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Bug 13618: Specific places where we don't need to escape variables There is no need to escape the html generated by the XSLT. Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Bug 13618: Remove html filters at the intranet Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Bug 13618: Specific places where we don't need to escape variables - intra Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Bug 13618: Specific for pagination_bar Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Bug 13618: Specific for the ISBD view Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Bug 13618: Fix error 'Not a GLOB reference' The interpolation of a variable on including a file caused an unexpected error: Template process failed: undef error - Not a GLOB reference at /usr/lib/i386-linux-gnu/perl5/5.20/Template/Provider.pm line 619. The easier fix is to replace it with a SWITCH. Signed-off-by: Signed-off-by: Joonas Kylmälä
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|BLOCKED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Martin Renvoize changed: What|Removed |Added CC||martin.renvoize@ptfs-europe ||.com --- Comment #212 from Martin Renvoize --- The approach here is correct in my opinion.. we should treat everything as unsafe and thus escape it by default unless we've manually checked it and marked as safe. Yes, this will impact performance at first and highlight some especially nasty areas of koha. We should use those highlights as a hitlist of areas to concentrate on a) checking security and marking as safe when possible and b) refactoring templates to more sparsely use variables when possible. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks|14568 | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #211 from Jonathan Druart --- See bug 15715 for the cause of the revert. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Brendan Gallagher changed: What|Removed |Added Status|Pushed to Master|BLOCKED --- Comment #210 from Brendan Gallagher --- Reverted from master. Making Status as Blocked. Jonathan please choose the status you'd prefer for this bug. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=15715 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||15771 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15771 [Bug 15771] CGI::escapeHTML should not be used anymore -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #209 from Katrin Fischer --- Thx Julian! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #208 from Julian Maurice --- Package accepted into Debian unstable: https://packages.debian.org/sid/libtemplate-stash-autoescaping-perl -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||15754 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15754 [Bug 15754] html tags displayed when editing frameworks -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||15734 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15734 [Bug 15734] Audio Alerts broken -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||15733 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15733 [Bug 15733] Audio Alerts issues in master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Mirko Tietgen changed: What|Removed |Added CC||mi...@abunchofthings.net --- Comment #207 from Mirko Tietgen --- Created attachment 47631 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47631&action=edit libtemplate-stash-autoescaping-perl_0.0303-1_all.deb I built a package in Jessie, maybe it is useful for others too. It's attached. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #206 from Marcel de Rooy --- (In reply to Julian Maurice from comment #205) > I started packaging this module. > ITP bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813574 > Git repo: > https://anonscm.debian.org/cgit/pkg-perl/packages/libtemplate-stash- > autoescaping-perl.git/ Great! Thx -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Julian Maurice changed: What|Removed |Added CC||julian.maur...@biblibre.com --- Comment #205 from Julian Maurice --- (In reply to Marcel de Rooy from comment #203) > Note that this still needs attention in terms of (Debian) packaging. > At first glance this module does not seem to be available in a Debian > package. I started packaging this module. ITP bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813574 Git repo: https://anonscm.debian.org/cgit/pkg-perl/packages/libtemplate-stash-autoescaping-perl.git/ -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Blocks||15717 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15717 [Bug 15717] Installer: Step 3 has showing -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 --- Comment #204 from Jonathan Druart --- New test added to the QA script: commit a9ddabb936a0a1539d01992908b3e6484b6d6466 The html filter is not needed anymore (see bug 13618) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Marcel de Rooy changed: What|Removed |Added CC||m.de.r...@rijksmuseum.nl --- Comment #203 from Marcel de Rooy --- Great work! Detail for patch: Use Template::Stash::AutoEscaping to use the html filter Note that this still needs attention in terms of (Debian) packaging. At first glance this module does not seem to be available in a Debian package. Obviously, new perl dependencies should preferably be available already. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Brendan Gallagher changed: What|Removed |Added Status|Passed QA |Pushed to Master --- Comment #202 from Brendan Gallagher --- Pushed to Master - Should be in the May 2016 Release. Thanks! (we'll probably have some more spots to work on this). Great job though! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Brendan Gallagher changed: What|Removed |Added CC||bren...@bywatersolutions.co ||m --- Comment #201 from Brendan Gallagher --- (In reply to Jonathan Druart from comment #200) > @RM: please don't squash these patches, it will be helpful to have the > history if a regression if found later. Will not squash :) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Status|Patch doesn't apply |Passed QA --- Comment #200 from Jonathan Druart --- @RM: please don't squash these patches, it will be helpful to have the history if a regression if found later. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46819|0 |1 is obsolete|| --- Comment #196 from Jonathan Druart --- Created attachment 47449 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47449&action=edit Bug 13618: Do not display html tags in patron's notices Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46821|0 |1 is obsolete|| --- Comment #198 from Jonathan Druart --- Created attachment 47451 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47451&action=edit Bug 13618: (follow-up) Specific for other prefs follow-up for SlipCSS and printslip Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46820|0 |1 is obsolete|| --- Comment #197 from Jonathan Druart --- Created attachment 47450 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47450&action=edit Bug 13618: Fix for debarredcomment and patron messages At the OPAC and intranet. Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46818|0 |1 is obsolete|| --- Comment #195 from Jonathan Druart --- Created attachment 47448 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47448&action=edit Bug 13618: Do not display and html tags in item fields content Note that there might be other occurrences to fix! Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46822|0 |1 is obsolete|| --- Comment #199 from Jonathan Druart --- Created attachment 47452 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47452&action=edit Bug 13618: Specific for branches.opac_info -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46812|0 |1 is obsolete|| --- Comment #189 from Jonathan Druart --- Created attachment 47442 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47442&action=edit Bug 13618: followup to remove tabs Signed-off-by: Bernardo Gonzalez Kriegel This followup on top of remote branch Only remove tabs and trailing spaces to make koha-qa pass Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46815|0 |1 is obsolete|| --- Comment #192 from Jonathan Druart --- Created attachment 47445 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47445&action=edit Bug 13618: (follow-up) add missing lines for opac-shelves Proposed patch to fix opac-shelves Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46817|0 |1 is obsolete|| --- Comment #194 from Jonathan Druart --- Created attachment 47447 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47447&action=edit Bug 13618: Fix for system preference description If a syspref description contains html tag, do not display them Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46813|0 |1 is obsolete|| --- Comment #190 from Jonathan Druart --- Created attachment 47443 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47443&action=edit Bug 13618: Fix for edit biblios and items On editing biblios or items, the marc_lib, marc_value and javascript values are often populated with html code which needs to be displayed raw. Signed-off-by: Bernardo Gonzalez Kriegel Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46808|0 |1 is obsolete|| --- Comment #185 from Jonathan Druart --- Created attachment 47438 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47438&action=edit Bug 13618: Specific for XSLTBloc Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46816|0 |1 is obsolete|| --- Comment #193 from Jonathan Druart --- Created attachment 47446 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47446&action=edit Bug 13618: Remove html filters for newly pushed code Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46809|0 |1 is obsolete|| --- Comment #186 from Jonathan Druart --- Created attachment 47439 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47439&action=edit Bug 13618: Fix escape on sending baskets or shelves by email Test plan: Send baskets and shelves by email. With or without this patch, you should not see any changes. Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46810|0 |1 is obsolete|| --- Comment #187 from Jonathan Druart --- Created attachment 47440 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47440&action=edit Bug 13618: Fix for news Signed-off-by: Signed-off-by: Joonas Kylmälä Signed-off-by: Bernardo Gonzalez Kriegel Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 13618] Prevent XSS in the Staff Client and the OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618 Jonathan Druart changed: What|Removed |Added Attachment #46814|0 |1 is obsolete|| --- Comment #191 from Jonathan Druart --- Created attachment 47444 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=47444&action=edit Bug 13618: (follow-up) Specific for ColumnsSettings Signed-off-by: Bernardo Gonzalez Kriegel Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/