[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Koha-devel] [Bug 196] user input not checked for HTML tags
From: |
bugzilla-daemon |
Subject: |
[Koha-devel] [Bug 196] user input not checked for HTML tags |
Date: |
Wed Apr 23 08:07:59 2003 |
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=196
address@hidden changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |LATER
------- Additional Comments From address@hidden 2003-04-24 03:05 -------
The solution is to parse all templates and add "ESCAPE='HTML'" everywhere :
CC of the HTML::Template doc :
<TMPL_VAR NAME="PARAMETER_NAME">
The <TMPL_VAR> tag is very simple. For each <TMPL_VAR> tag in the template you
call $template->param(PARAMETER_NAME => ``VALUE''). When the template is output
the <TMPL_VAR> is replaced with the VALUE text you specified. If you don't set a
parameter it just gets skipped in the output.
Optionally you can use the ``ESCAPE=HTML'' option in the tag to indicate that
you want the value to be HTML-escaped before being returned from output (the old
ESCAPE=1 syntax is still supported). This means that the ``, <, >, and &
characters get translated into ", <, > and & respectively. This
is useful when you want to use a TMPL_VAR in a context where those characters
would cause trouble. Example:
<input name=param type=text value="<TMPL_VAR NAME="PARAM">">
If you called param() with a value like sam``my you'll get in trouble with
HTML's idea of a double-quote. On the other hand, if you use ESCAPE=HTML, like
this:
<input name=param type=text value="<TMPL_VAR ESCAPE=HTML NAME="PARAM">">
You'll get what you wanted no matter what value happens to be passed in for
param. You can also write ESCAPE=``HTML'', ESCAPE='HTML' and ESCAPE='1'.
Substitute a 0 for the HTML and you turn off escaping, which is the default
anyway.
There is also the ``ESCAPE=URL'' option which may be used for VARs that populate
a URL. It will do URL escaping, like replacing ' ' with '+' and '/' with '%2F'.
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Koha-devel] [Bug 196] user input not checked for HTML tags,
bugzilla-daemon <=