[Koha] Bug: passwords should be HTML-encoded when displayed during self-registration

Jonathan Druart jonathan.druart at bugs.koha-community.org
Thu Jan 4 08:17:12 NZDT 2018


Patch attached, please test.

On Wed, 3 Jan 2018 at 15:50 Arturo Longoria <Arturo.Longoria at sll.texas.gov>
wrote:

> Hi, all. Our library uses self-registration quite a bit, and I've recently
> stumbled upon a bug that can occur when Koha generates a random password
> for a user during self-registration and attempts to display it to the user
> since these passwords are not HTML-encoded. I have documented the bug here:
> https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19911.
>
>
>
> Basically, the PatronSelfRegistrationPrefillForm preference can be set so
> that self-registered patrons are shown their password upon creating an
> account. This setting is necessary at our library because we do not allow
> patrons to select their own passwords during self-registration due to bug
> 19845, https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19845.
>
>
>
> If the password that is generated randomly by Koha contains the less-than
> character, <, browsers think that this is the beginning of an HTML element,
> so the less-than character and anything after it are not displayed to the
> user. This means that users are not shown their full password!
>
>
> This screenshot illustrates what I'm describing:
> https://i.imgur.com/hlKpU1I.png.
>
>
>
> Arturo Longoria
> Reference Librarian/Web Manager
> Texas State Law Library
> www.sll.texas.gov<http://www.sll.texas.gov/>
>
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
>


More information about the Koha mailing list