https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29678
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |23290 --- Comment #29 from David Cook <[email protected]> --- (In reply to David Cook from comment #28) > If loading a XSLT via HTTPS with properly set up filepaths, it should > probably work. I'll see about doing a quick test over HTTPS... Indeed it does. I've created a /usr/share/koha/opac/htdocs/opac-tmpl/bootstrap/en/xslt/MARC21slim2OPACResults2.xsl and updated MARC21slimUtils.xsl to /usr/share/koha/opac/htdocs/opac-tmpl/bootstrap/en/xslt/MARC21slimUtils.xsl and it's working fine. Note that https://real.instance/opac-tmpl/bootstrap/en/xslt/MARC21slimUtils.xsl won't work here, because it's doing network activity, which is prohibited by bug 23290. -- We could potentially refine the security features from bug 23290, but that's the state of things at the moment. I think an argument could be made that we should fetch HTTP URLs the same way we do HTTPS URLs in the Koha code instead of the XSLT code, so that the external stylesheet works consistently in that way though. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23290 [Bug 23290] XSLT system preferences allow administrators to exploit XML and XSLT vulnerabilities -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
