https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39340
Bug ID: 39340
Summary: Use of $HTMLtags filter should require another
prefilter
Change sponsored?: ---
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: Test Suite
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
t/lib/QA/TemplateFilters.pm thinks that using $HTMLTags is enough to say you've
filtered, but $HTMLTags does no escaping so it isn't enough. You should always
either use | html | $HTMLTags or if your string is already escaped use $raw |
$HTMLTags to say you've thought about it.
The fix to find them is obvious, just remove line 149 so we don't return if we
see $HTMLTags, but I don't know how to fix the part that fixes missing filters.
Since we've already fixed the cases where we were only using $HTMLTags on a TT
variable (as security bugs), what's left is a bunch of strings in
koha-tmpl/intranet-tmpl/prog/en/modules/about.tt and a mix of values from
koha-conf.xml and the string "127.0.0.1" in
koha-tmpl/intranet-tmpl/prog/en/modules/installer/step2.tt
The fix for the values from koha-conf.xml is easy, they should be | html
filtered. And at first the strings seemed easy to me, just give them | $raw to
say we looked at them, but is that right? Is "[% "borrowers" | $HtmlTags
tag="strong" %]" done that way to keep that table name from being translatable,
so we know it will never need to be escaped?
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
