Bug: passwords should be HTML-encoded when displayed during self-registration
Hi, all. Our library uses self-registration quite a bit, and I've recently stumbled upon a bug that can occur when Koha generates a random password for a user during self-registration and attempts to display it to the user since these passwords are not HTML-encoded. I have documented the bug here: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911. Basically, the PatronSelfRegistrationPrefillForm preference can be set so that self-registered patrons are shown their password upon creating an account. This setting is necessary at our library because we do not allow patrons to select their own passwords during self-registration due to bug 19845, https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19845. If the password that is generated randomly by Koha contains the less-than character, <, browsers think that this is the beginning of an HTML element, so the less-than character and anything after it are not displayed to the user. This means that users are not shown their full password! This screenshot illustrates what I'm describing: https://i.imgur.com/hlKpU1I.png. Arturo Longoria Reference Librarian/Web Manager Texas State Law Library www.sll.texas.gov<http://www.sll.texas.gov/>
Patch attached, please test. On Wed, 3 Jan 2018 at 15:50 Arturo Longoria <Arturo.Longoria@sll.texas.gov> wrote:
Hi, all. Our library uses self-registration quite a bit, and I've recently stumbled upon a bug that can occur when Koha generates a random password for a user during self-registration and attempts to display it to the user since these passwords are not HTML-encoded. I have documented the bug here: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911.
Basically, the PatronSelfRegistrationPrefillForm preference can be set so that self-registered patrons are shown their password upon creating an account. This setting is necessary at our library because we do not allow patrons to select their own passwords during self-registration due to bug 19845, https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19845.
If the password that is generated randomly by Koha contains the less-than character, <, browsers think that this is the beginning of an HTML element, so the less-than character and anything after it are not displayed to the user. This means that users are not shown their full password!
This screenshot illustrates what I'm describing: https://i.imgur.com/hlKpU1I.png.
Arturo Longoria Reference Librarian/Web Manager Texas State Law Library www.sll.texas.gov<http://www.sll.texas.gov/>
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Thank you again for your quick work, Jonathan! I've tested your patches on a sandbox and they work great! I've updated the bug with my notes because I did find one small typo (the patch is missing a closing HTML span tag). I wasn't sure if I should sign-off yet because of that, so I'll hold off on that for now. Thanks again – very much appreciate your work! Arturo From: Jonathan Druart [mailto:jonathan.druart@bugs.koha-community.org] Sent: Wednesday, January 03, 2018 13:17 To: Arturo Longoria <Arturo.Longoria@sll.texas.gov> Cc: Koha <koha@lists.katipo.co.nz> Subject: Re: [Koha] Bug: passwords should be HTML-encoded when displayed during self-registration Patch attached, please test. On Wed, 3 Jan 2018 at 15:50 Arturo Longoria <Arturo.Longoria@sll.texas.gov<mailto:Arturo.Longoria@sll.texas.gov>> wrote: Hi, all. Our library uses self-registration quite a bit, and I've recently stumbled upon a bug that can occur when Koha generates a random password for a user during self-registration and attempts to display it to the user since these passwords are not HTML-encoded. I have documented the bug here: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911. Basically, the PatronSelfRegistrationPrefillForm preference can be set so that self-registered patrons are shown their password upon creating an account. This setting is necessary at our library because we do not allow patrons to select their own passwords during self-registration due to bug 19845, https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19845. If the password that is generated randomly by Koha contains the less-than character, <, browsers think that this is the beginning of an HTML element, so the less-than character and anything after it are not displayed to the user. This means that users are not shown their full password! This screenshot illustrates what I'm describing: https://i.imgur.com/hlKpU1I.png. Arturo Longoria Reference Librarian/Web Manager Texas State Law Library www.sll.texas.gov<http://www.sll.texas.gov><http://www.sll.texas.gov/> _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz<mailto:Koha@lists.katipo.co.nz> https://lists.katipo.co.nz/mailman/listinfo/koha
participants (2)
-
Arturo Longoria -
Jonathan Druart