Potential fix for code scanning alert no. 18: Incomplete multi-character sanitization #36

IanSkelskey · 2025-02-23T21:15:42Z

Potential fix for https://github.com/IanSkelskey/Evergreen/security/code-scanning/18

To fix the problem, we should ensure that all instances of potentially dangerous HTML tags are removed from the input string. One effective way to achieve this is by using a well-tested sanitization library, such as sanitize-html, which is designed to handle various edge cases and ensure comprehensive sanitization.

The best way to fix the problem without changing existing functionality is to replace the custom regular expression-based sanitization with the sanitize-html library. This library will handle the removal of all unsafe tags and attributes, ensuring that the input string is properly sanitized.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Ensure setTimeout delays focus when reordering shelving locations using up/down arrow keys in the administration interface. Release-note: Fix an issue in the Shelving Location Group admin screen that caused keyboard focus to disappear. To test: - Go to Admin->Local Admin->Shelving Location Groups - If you don't at least 3 groups, create them - Tab to an item's move button (4 arrow icon) - Press up and down to move the item, note focus is retained Signed-off-by: Dan Briem <dbriem@harrisonpl.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

…t export This patch fixes an issue where the "Include items?" option when exporting records from the new Angular buckets interface was ignored. To test ------- [1] Create a record bucket that has at least one bib that has items attached to it. [2] Use the 'Export All' button from the bucket interface and select the Include items? option [3] Select the record from the list and use the Export Selected Records action with the Include items? option in effect. [4] Review both output files and note that the 852 fields with item information are not include. [5] Apply the patch and repeat stesp 2 and 3. This time, the 852 fields should be present. Release-note: Fixes an issue that caused the "Include items?" option when exporting records from the Record Buckets interface to be ignored. Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

If you switch between the flat and enhanced MARC editor, then save, the editor reverts to whichever tab was initially loaded. This synchronizes the one-way data binding of `editorTab` with `ngbNav`'s `activeId` in the `navChange` callback. Release-note: Fix an issue that caused MARC editor interface to change unexpectedly when a record is saved. To test: - Go to a record and click the MARC Edit tab - Switch from Enhanced to Flat (or vice-versa if Flat's selected) - Click Save, note it doesn't switch to the initially loaded tab Signed-off-by: Dan Briem <dbriem@harrisonpl.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

Signed-off-by: Andrea Buntz Neiman <abneiman@equinoxinitiative.org>

Signed-off-by: Jason Stephenson <jason@sigio.com>

Updating screenshots and instructions for this page: https://docs.evergreen-ils.org/docs/latest/admin/copy_statuses.html Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

- Removed outdated images: `event_def_details.png`, `new_event_def.png` - Added new images: `local_admin_option.png`, `new_event_def_btn.png`, `tabs.png` - Updated images for sections: Email and Print Event Definitions and Parameters - Cleanup and streamlined content in action triggers documentation: - Changed \"Introduction\" to \"Overview\" - Reorganized content for clarity - Consolidated some sections and reduced redundancy - Added explanations for components like Hooks and Reactors - Expanded on how to create alternate message templates - Explained cron job setup in detail Release-Note: Improve and reorganize action triggers documentation in admin module Signed-off-by: Ian Skelskey <ianskelskey@gmail.com> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

This patch updates the release note extractor script so that if a commit includes a release note tagged with Release-note: that extends over more than one line, all of them will be considered as part of the same note. Multi-line release notes should not start with a whitespace character on the second and subsequent lines. To test ------- [1] Apply the patch and run extract_release_notes_from_commits.pl; verify that multi-line release notes in commit messages are fully included in the output. Release-note: [dev] Update the release note extractor so that all lines of a multi-line release notes in a commit message are incuded in the output Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

…haracter Map This patch fixes an issue where the HostListener for the jump-to-letter-range navigation feature of the new MARC Edit Character Map was grabbing keydown events that it shouldn't have tried to handle. It also cleans up browser console noise generated when the user types a digit character. To test ------- [1] Open a bib record and ensure that the enahnced MARC editor tab is active. [2] Try to add the record to a new bucket via the Other Actions menu. Note that keys in the range 0-9 and a-z are not entered into the bucket name input when pressed. [3] Try other text inputs in the MARC editor, such as the bib source input. Note that the same alphanumeric characters cannot be entered. [4] Apply the patch and repeat steps 1-3. This time, there should be no interference with keyboard input. [5] Open the Special Characters modal. Verify that single-letter keyboard shortcuts work as aspected. [6] Close the modal. Verify that keyboard input remains normal. This patch intentionally does not include a release notes entry as it follows up on an enhancement that has not been released yet. Signed-off-by: Galen Charlton <gmc@equinoxOLI.org> Signed-off-by: Dan Briem <dbriem@harrisonpl.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

Add a Perl sigtrap handler in clark-kent.pl to log the signal and exit when it receives a signal. Testing is relatively straightforward: 1. Start the reporter. 2. Send it the TERM signale with kill: `kill $(cat /tmp/reporter-LOCK)`. 3. Check the osrfsys.log to see that nothing is logged. 4. Delete the reporter lock file: `rm /tmp/reporter-LOCK.` 5. Apply this commit. 6. Do `sudo make install` in the Evergreen source directory. 7. Follow that with `sudo chown -R opensrf:opensrf /openils ./`. 8. Repeat steps 1 & 2. 9. `grep 'Reporter received signal' /openils/var/log/osrfsys.log` should return a line. 10. Delete the reporter lock file (for hygiene). Release-note: Add a signal handler to the reporter to log the signal and exit. Signed-off-by: Jason Stephenson <jason@sigio.com> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

Fetches the Library Setting for whether to show legacy invoice links in invoice.component. This will allow the 'Open In Legacy Interface' link to appear. Release-note: Display a "Show Invoice in Legacy Interface" in invoices when configured. Signed-off-by: Steven Mayo <smayo@georgialibraries.org> Signed-off-by: Jane Sandberg <sandbergja@gmail.com>

Correct 3.13.8-3.13.19-upgrade-db.sql to 3.13.8-3.13.9-upgrade-db.sql filename. Signed-off-by: Jason Stephenson <jason@sigio.com>

It looks like the wrong version number, 3.13.19, was used when stamping the file. This commit corrects that. Signed-off-by: Jason Stephenson <jason@sigio.com>

…ion character escape Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Bumps [browserify-sign](https://github.com/crypto-browserify/browserify-sign) from 4.2.1 to 4.2.3. - [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md) - [Commits](browserify/browserify-sign@v4.2.1...v4.2.3) --- updated-dependencies: - dependency-name: browserify-sign dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.4 to 6.6.1. - [Commits](indutny/elliptic@v6.5.4...v6.6.1) --- updated-dependencies: - dependency-name: elliptic dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) from 0.2.0 to 0.2.2. - [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases) - [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2) --- updated-dependencies: - dependency-name: decode-uri-component dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

Potential fix for code scanning alert no. 45: Useless regular-expression character escape

…ILS/web/js/ui/default/staff/decode-uri-component-0.2.2 Bump decode-uri-component from 0.2.0 to 0.2.2 in /Open-ILS/web/js/ui/default/staff

…LS/web/js/ui/default/staff/browserify-sign-4.2.3 Bump browserify-sign from 4.2.1 to 4.2.3 in /Open-ILS/web/js/ui/default/staff

…ILS/web/js/ui/default/staff/elliptic-6.6.1 Bump elliptic from 6.5.4 to 6.6.1 in /Open-ILS/web/js/ui/default/staff

Bumps the npm_and_yarn group with 1 update in the /Open-ILS/web/js/ui/default/staff directory: [karma](https://github.com/karma-runner/karma). Updates `karma` from 1.7.1 to 6.4.4 - [Release notes](https://github.com/karma-runner/karma/releases) - [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md) - [Commits](karma-runner/karma@1.7.1...v6.4.4) --- updated-dependencies: - dependency-name: karma dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

…ILS/web/js/ui/default/staff/npm_and_yarn-1dc217bc5b Bump karma from 1.7.1 to 6.4.4 in /Open-ILS/web/js/ui/default/staff in the npm_and_yarn group across 1 directory

…ion character escape Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Potential fix for code scanning alert no. 44: Useless regular-expression character escape

…ion character escape Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Potential fix for code scanning alert no. 43: Useless regular-expression character escape

…caping Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

…tion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Potential fix for code scanning alert no. 7: Prototype-polluting function

…caping Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Potential fix for code scanning alert no. 39: Double escaping or unescaping