[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Fridolin SOMERS  changed:

   What|Removed |Added

 CC||fridolin.som...@biblibre.co
   ||m

--- Comment #15 from Fridolin SOMERS  ---
Pushed to 17.05.x for v17.05.09

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Nick Clemens  changed:

   What|Removed |Added

 Status|Pushed to Master|Pushed to Stable
 CC||n...@bywatersolutions.com

--- Comment #14 from Nick Clemens  ---
Awesome work all!

Pushed to Stable for 17.11.02

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart  changed:

   What|Removed |Added

 Status|Passed QA   |Pushed to Master

--- Comment #13 from Jonathan Druart  
---
Pushed to master for 18.05, thanks to everybody involved!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

--- Comment #12 from Katrin Fischer  ---
Thx, Arturo, for documenting your tests and the sign-off!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer  changed:

   What|Removed |Added

  Attachment #70308|0   |1
is obsolete||

--- Comment #10 from Katrin Fischer  ---
Created attachment 70445
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70445=edit
Bug 19911: Do not escape html characters when saving passwords

When the password is not generated automatically, we should not escape
the html characters. Otherwise it will be changed without any warnings.

Signed-off-by: Arturo 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer  changed:

   What|Removed |Added

  Attachment #70309|0   |1
is obsolete||

--- Comment #11 from Katrin Fischer  ---
Created attachment 70446
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70446=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

Signed-off-by: Arturo 

Signed-off-by: Katrin Fischer 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Katrin Fischer  changed:

   What|Removed |Added

 CC||katrin.fisc...@bsz-bw.de
 QA Contact|testo...@bugs.koha-communit |katrin.fisc...@bsz-bw.de
   |y.org   |

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #9 from Arturo  ---
Just tested again and it looks great to me. Thank you for your work on this,
Jonathan!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #8 from sandbo...@biblibre.com  ---
Created attachment 70309
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70309=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

Signed-off-by: Arturo 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #7 from sandbo...@biblibre.com  ---
Created attachment 70308
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70308=edit
Bug 19911: Do not escape html characters when saving passwords

When the password is not generated automatically, we should not escape
the html characters. Otherwise it will be changed without any warnings.

Signed-off-by: Arturo 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

sandbo...@biblibre.com  changed:

   What|Removed |Added

  Attachment #70289|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

sandbo...@biblibre.com  changed:

   What|Removed |Added

 CC||sandbo...@biblibre.com
 Status|Needs Signoff   |Signed Off

--- Comment #6 from sandbo...@biblibre.com  ---
Patch tested with a sandbox, by Arturo 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

sandbo...@biblibre.com  changed:

   What|Removed |Added

  Attachment #70271|0   |1
is obsolete||

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart  changed:

   What|Removed |Added

 Depends on||19918

--- Comment #5 from Jonathan Druart  
---
(In reply to Arturo from comment #3)
> Thank you for the patches, Jonathan! I've tested this out on a sandbox and
> it works great! There is only one issue that I found -- the  tag on
> line 45 of opac-registration-confirmation.tt is missing a closing 
> tag. Right now both of the tags are opening tags, so it is causing an HTML
> validation error.

Well spotted!
I have opened, filled and pushed bug 19918 to fix that.
And rebased the patch on top.


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19918
[Bug 19918] span tag not closed in opac-registration-confirmation.tt
-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart  changed:

   What|Removed |Added

  Attachment #70253|0   |1
is obsolete||

--- Comment #4 from Jonathan Druart  
---
Created attachment 70289
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70289=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #3 from Arturo  ---
Thank you for the patches, Jonathan! I've tested this out on a sandbox and it
works great! There is only one issue that I found -- the  tag on line 45
of opac-registration-confirmation.tt is missing a closing  tag. Right
now both of the tags are opening tags, so it is causing an HTML validation
error.

Despite that, I was able to complete the detailed test plan below and found no
errors. These patches work both when e-mail verification is required and when
it is not. They also work when the user supplies a password and when it is
randomly generated by Koha. My full test plan is below.

These are the sample passwords I tested with:

<%20>

password

link


Test plan:
1. Make sure a valid e-mail is stored in KohaAdminEmailAddress.
2. Set OpacPublic to Enable.
3. Set PatronSelfRegistration to Allow.
4. Be sure there is a valid patron category in
PatronSelfRegistrationDefaultCategory.
5. Set PatronSelfRegistrationBorrowerMandatoryField to include at least
"firstname|surname|email|password" so that these are required fields.
6. Set PatronSelfRegistrationPrefillForm to "Display and prefill" so that you
can see the password and have it prefilled.

To test when e-mail verification is NOT required:
1. Set PatronSelfRegistrationVerifyByEmail to "Don't require".
2. Go to the OPAC and fill out the self-registration form. Supply a password
that contains the less-than character.
3. Confirm that upon account creation, your password is correctly displayed on
the confirmation page.
4. Also confirm that you can log in to your account.

To test when e-mail verification IS required:
1. Be sure that OPACBaseUrl has a value since it is called by the
OPAC_REG_VERIFY e-mail template.
2. Set PatronSelfRegistrationVerifyByEmail to "Require."
3. Go to the OPAC and fill out the self-registration form. Supply a password
that contains the less-than character.
4. Follow the e-mail verification link created by Koha.
5. Confirm that upon account creation, your password is correctly displayed on
the confirmation page.
6. Also confirm that you can log in to your account.

To test when a password is generated randomly:
1. Remove "password" from the list of fields in
PatronSelfRegistrationBorrowerMandatoryField and repeat the two blocks of steps
above. Be sure that the randomly generated password contains a less-than
character and that it displays properly. Since these are generated randomly,
you may need to self-register multiple times until your generated password
contains this character.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #2 from Jonathan Druart  
---
Created attachment 70271
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70271=edit
Bug 19911: Do not escape html characters when saving passwords

When the password is not generated automatically, we should not escape
the html characters. Otherwise it will be changed without any warnings.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart  changed:

   What|Removed |Added

 Status|NEW |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

--- Comment #1 from Jonathan Druart  
---
Created attachment 70253
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=70253=edit
Bug 19911: Escape password value during self-registration confirmation

The password must be correctly escape, it can contains html character
and break the display.

Test plan:
Apply first patch and confirm that the display is broken
Apply second patch (this one) and confirm that the display is fixed

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart  changed:

   What|Removed |Added

   Severity|enhancement |major
 CC||jonathan.dru...@bugs.koha-c
   ||ommunity.org
Version|17.11   |master

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Jonathan Druart  changed:

   What|Removed |Added

   Assignee|oleon...@myacpl.org |jonathan.dru...@bugs.koha-c
   ||ommunity.org

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 19911] Passwords displayed to user during self-registration are not HTML-encoded

[bugzilla-daemon]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911

Arturo  changed:

   What|Removed |Added

 CC||libr...@sll.texas.gov

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/