[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize (ashimema) changed: What|Removed |Added Status|Failed QA |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 --- Comment #11 from Martin Renvoize (ashimema) --- I added a QA follow-up here which should hopefully resolve the security side of it. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize (ashimema) changed: What|Removed |Added Assignee|[email protected] |[email protected] |o.uk| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize (ashimema) changed: What|Removed |Added QA Contact|[email protected] |[email protected] |y.org |o.uk -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 --- Comment #10 from Martin Renvoize (ashimema) --- Created attachment 182628 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=182628&action=edit Bug 23978: (QA follow-up) Use html_scrubber This followup replaces the $raw filter with `scrub_html type => 'note' | $raw`. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize (ashimema) changed: What|Removed |Added Attachment #161711|0 |1 is obsolete|| --- Comment #9 from Martin Renvoize (ashimema) --- Created attachment 182627 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=182627&action=edit Bug 23978: Expose HTML in Reports This patch updates the notes field to a $raw filter to prevent html escaping of the data within it. Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 David Cook changed: What|Removed |Added Attachment #182628|0 |1 is obsolete|| --- Comment #13 from David Cook --- Created attachment 182642 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=182642&action=edit Bug 23978: (QA follow-up) Use html_scrubber This followup replaces the $raw filter with `scrub_html type => 'note' | $raw`. Signed-off-by: David Cook -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 David Cook changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 --- Comment #12 from David Cook --- I'm guessing one of the rebase scripts was this and it's altered the authorship. I'll look at fixing that... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Katrin Fischer changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=19613 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Magnus Enger changed: What|Removed |Added CC||[email protected] Status|Needs Signoff |Failed QA --- Comment #8 from Magnus Enger --- (In reply to Martin Renvoize from comment #5) > This patch updates the notes field to a $raw filter to prevent html > escaping of the data within it. (In reply to David Cook from comment #7) > Yeah I don't think we can just expose the raw HTML. Sounds like a security problem and a FQA to me. Please set back to NSO if you disagree. :-) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 --- Comment #7 from David Cook --- (In reply to Martin Renvoize from comment #6) > Is there a more secure way of doing this rather than just exposing the raw > html.. I feel like we're just undoing a security flaw we fixed for a reason. Yeah I don't think we can just expose the raw HTML. One option would be to use the HTML scrubber. I think there are quite a few parts of Koha where people want to use HTML, but could be limited to a fairly small subset of elements and attributes. > Is it time to use markdown for rich text or perhaps for linebreaks just > outputting the note field in a pre/code block? For line breaks, the "html_line_break" filter can be useful. For notes, adding that line break filter would make sense. I don't know that any other HTML features would really needed though. If they were to be added, I think we'd have to scrub them first. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize changed: What|Removed |Added CC||[email protected] -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 --- Comment #6 from Martin Renvoize --- Is there a more secure way of doing this rather than just exposing the raw html.. I feel like we're just undoing a security flaw we fixed for a reason. Is it time to use markdown for rich text or perhaps for linebreaks just outputting the note field in a pre/code block? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize changed: What|Removed |Added Status|ASSIGNED|Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize changed: What|Removed |Added Attachment #95108|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize changed: What|Removed |Added Severity|trivial |normal -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Martin Renvoize changed: What|Removed |Added Assignee|[email protected] |martin.renvoize@ptfs-europe ||.com CC||martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 --- Comment #5 from Martin Renvoize --- Created attachment 161711 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161711&action=edit Bug 23978: Expose HTML in Reports This patch updates the notes field to a $raw filter to prevent html escaping of the data within it. Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 --- Comment #4 from Mirjam Vantieghem --- +1 We are currently using a custom patch to achieve this. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Mirjam Vantieghem changed: What|Removed |Added CC||[email protected] -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Séverine Queune changed: What|Removed |Added CC||[email protected] -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978 Katrin Fischer changed: What|Removed |Added Summary|notes field in saved|Notes field in saved |reports should allow HTML |reports should allow for ||HTML -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
