Thanks, Rogan! This does remove potentially harmful <script> tags and js before they can bug a user. A note for other testers, because it took me a little while to figure out: the contents of this setting are filtered when the setting is saved, so existing values in the opac.patron.custom_css setting won't be affected (until they are saved again).
I exercised the patch as follows:
1. Set the value of the opac.patron.custom_css library setting to the string here: https://gist.githubusercontent.com/sandbergja/b27ba0b7afeaefd5c989fc7f93274b6c/raw/296c2d313cacefba1684195cf83e32e911566bb3/bad.css (launchpad won't let me put it in the ticket verbatim -- it's: body { background-color: purple; }, then a closing style tag, then a script tag with a javascript alert in it)
2. Confirmed that, when I went to the OPAC, the purple displayed (good) but a javascript alert also displayed (bad).
3. Removed the setting
4. Applied Rogan's commit
5. Repeated step 1
6. Checked the OPAC again. It's purple still (good), but the arbitrary javascript doesn't affect the user, it gets commented out.
Thanks, Rogan! This does remove potentially harmful <script> tags and js before they can bug a user. A note for other testers, because it took me a little while to figure out: the contents of this setting are filtered when the setting is saved, so existing values in the opac.patron. custom_ css setting won't be affected (until they are saved again).
I think this is a really good improvement! Signoff at user/sandbergja /lp1869971_ defang_ css-signoff / https:/ /git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ sandbergja/ lp1869971_ defang_ css-signoff
I exercised the patch as follows: custom_ css library setting to the string here: https:/ /gist.githubuse rcontent. com/sandbergja/ b27ba0b7afeaefd 5c989fc7f93274b 6c/raw/ 296c2d313cacefb a1684195cf83e32 e911566bb3/ bad.css (launchpad won't let me put it in the ticket verbatim -- it's: body { background-color: purple; }, then a closing style tag, then a script tag with a javascript alert in it)
1. Set the value of the opac.patron.
2. Confirmed that, when I went to the OPAC, the purple displayed (good) but a javascript alert also displayed (bad).
3. Removed the setting
4. Applied Rogan's commit
5. Repeated step 1
6. Checked the OPAC again. It's purple still (good), but the arbitrary javascript doesn't affect the user, it gets commented out.