Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch replaces koha-logo-medium.gif with a fully-transparent png.
This patch also adds a white version in case someone finds it useful.
To test, apply the patch and clear your cache if necessary.
- View any page in the staff client and confirm that the Koha logo in
the header area looks correct.
- Add the following to IntranetUserCSS:
.gradient {
background: #46B9EA none;
}
- Reload the page and confirm that the Koha logo doesn't have a white
fringe around the edges.
- Append this to the CSS you added to IntranetUserCSS above:
h1#logo {
background-image: url("/intranet-tmpl/prog/img/koha-logo-medium-white.png");
}
- Reload the page and confirm that the new white logo appears
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch moves the JavaScript files in prog/en/js to prog/js.
JavaScript files do not need to be in the directory which is processed
by the translator.
To test, apply the patch and visit various pages in the staff client to
confirm that JavaScript files are still loading correctly.
Revised: I intended for this to be built on top of Bug 15883 as well as
Bug 16242. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883 and 16241
All seems to work, js files pulled from new dir.
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes images from the staff client templates which are no
longer used.
To test you must (as of 2016-04-22) apply the patch for Bug 16241.
Apply the patch and search for references in the Koha code to
the removed images. You should find none.
The staff client CSS file has been updated to remove obsolete references
to image files. These old styles were made obsolete by the switch to
Font Awesome icons.
Revision removes reference to glyphicons-halflings-koha.png from
circ/offline-mf.tt
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of Bug 16241
No reference of deleted files (only on PO files but that will be fixed later)
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.
In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.
To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:
- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.
Revised: I intended for this to be built on top of Bug 15883. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883
Works as described, all pages on test plan
No Errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch updates the staff client version of jQuery to 2.2.3. In order
to maintain compatibility with existing scripts, the jQuery migrate
plugin has also been added.
Included is the development version of the jQuery migrate plugin.
Developers could modify doc-head-close.inc to use this version if they
wanted to take advantage of its upgrade warning log.
To test, apply the patch and test JavaScript interactions everywhere in
the staff client.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
The YUI CSS file "skin.css" is no longer relevant to the staff client
templates and can be removed. Other references to YUI-related classes,
with the exception of grids, can also be removed.
This patch removes references in CSS to:
.yuimenuitemlabel
.yui-button
.yui-menu-button
...and removes the "yui-skin-sam" class from two templates' body tag.
skin.css is also included in a list of assets cached by the offline
circulation page. It can be safely removed.
To test, apply the patch and clear your cache if necessary. Look around
and confirm that the style of the staff client is unchanged.
Search for references to the listed classes and confirm that none are
found.
Revised patch squashes in the follow-up as well as a missing commit
removing skin.css from staff-global.css.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
The offline circulation asset manifest includes some YUI JavaScript
files which are no longer used by any template in Koha except for
acquisitions/basketgroup.tt. This patch removes them from the manifest.
To test, apply the patch and test offline circulation. Everything should
work correctly.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
We handle internationalization of the jQuery datepicker by adding
language configuration strings to calendar.inc which can be processed by
the translation script. This patch adds a similar configuration file for
the timepicker.
This patch also upgrades the timepicker plugin to the latest version,
minified, and places it outside the prog template directory for global
use. The path in templates has been updated accordingly.
CSS has been added to more completely hide the controls for seconds,
milliseconds, and microseconds.
To test, apply the patch and clear your cache so that the browser
loads the new version of the jQuery plugin. Confirm that date and time
selection still function correctly on the circulation page, the patron
detail page, and the offline circulation page (circ/offline.pl).
Test at least one datepicker instance which does not use the
timepicker.
Run translate update on a po file and confirm that the timepicker
strings are now present.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Works as expected, no regression found.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
The next month/previous month icons for the datepicker were not available
offline. With this patch they are.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Address the following issues:
1/ Address minor qa issues with the templates:
FAIL koha-tmpl/intranet-tmpl/prog/en/modules/circ/offline-mf.tt
FAIL forbidden patterns
forbidden pattern: intranet-tmpl should certainly
replaced with [% interface %] (line 24)
[etc.]
OK tt_valid
OK valid_template
FAIL koha-tmpl/intranet-tmpl/prog/en/modules/circ/offline.tt
FAIL forbidden patterns
forbidden pattern: intranet-tmpl should certainly
replaced with [% interface %] (line 509)
[etc.]
FAIL tt_valid
lines 5, 5
2/ Run perltidy on new scripts
3/ download.pl returns data.finished = 1 if number of returned
data < 5000 (avoids 1 ajax call)
4/ Replace qq{} around sql queries with q{}
Also, a race condition existed that resulted in pending transactions
only getting deleted from the local database in certain circumstances
(fast connections under Chrome, mostly). This patch fixes that so that
successfully-uploaded transactions are always deleted.
This patch also addresses Jonathan's suggestion:
3/ add a message on check in (currently the input becomes empty but the
user is not informed).
... and Magnus's suggestion about moving the Synchronize link to the
right on the homepage.
Also, this addresses the further issues Jonathan noted:
- The tab of checkouts always shows "*0* Checkouts"
- If I am not well-educated, I click on the "Check out" link on the
offline home page, I enter a barcode, click on "Check out" and I get a
js error (without user message): "TypeError: curpatron is undefined"
(with chromium I get: Numeric transaction modes are deprecated in
IDBDatabase.transaction. Use "readonly" or "readwrite").
- There is a "border-right" css rule on the h5.patron-title. It is
display when there is no patron selected) [really minor!].
- tables are displayed even if there is no data
- The "Clear screen" link (X) points to an old script:
circ/offline-circulation.pl
- There is a warning when clicking on the "Synchronize" link when the
user is offline, but not for the "Pending offline circulation actions"
link.
- Still exists:
> The "Checked in item." message text never disappear (even if I go on the
> offline home page (circ/offline.pl#offline-home)).
Finally, this patch adds a link to the Pending offline operations page
on the synchronize page for easier navigation.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch adds an HTML5-based offline mode to Koha's existing
circulation module, allowing librarians to check out items using a
basically familiar interface. The feature will be implemented using
the Application Cache and IndexedDB features of the HTML5 specification,
both of which are fully supported on Firefox 10+ and Chrome 23+, with
limited support going back to Firefox 4 and Chrome 11. The basic
workflow enabled by this patch is as follows:
Part 1: While connected to the Internet
1. Enable offline functionality by turning on the
"AllowOfflineCirculation" system preference.
2. Sync the offline circulation database on the computer that will be
used for offline circulation by following the "Offline circulation
interface" link on the Circulation home page, choosing "Synchronize (must be online)",
and clicking the "Download records" button. This process may take a while.
3. Bookmark /cgi-bin/koha/circ/offline.pl (the page you are currently
on) for easy access when offline.
Part 2: While disconnected from the Internet
4. Navigate to /cgi-bin/koha/circ/offline.pl using the bookmark you
created while online.
5. Start checking books in by scanning the barcode of an item that has
been returned into the box in the "Check in" tab.
6. Scan the barcodes of any additional items that have been returned.
7. Start checking out books to a patron by scanning the patron's barcode
in the box in the "Check out" tab.
8. Set a due date (the "Remember for session" box will be checked by
default, since circulation rules are not computed during offline
transactions and therefore a due date must be specified by the
librarian).
9. Scan an item barcode (if you did not set a due date, it will prompt
you) to check the item out to the patron.
10. If a patron has a fine you can see the total amount (current to when
the offline module was synced), and record a payment. Unlike when in
online mode, there will be no breakdown of what item(s) fines are
for, and you will only be able to record the payment amount and not
associate it with a particular item.
Part 3: While connected to the Internet
11. Click the "Synchronize" link and choose "Upload transactions" to
upload the transactions recorded during the offline circulation
session.
12. Navigate to /cgi-bin/koha/offline_circ/list.pl (there will be a
link from the Offline circulation page) and review the
transactions, as described in the documentation for the Firefox
Offline circulation plugin:
http://wiki.koha-community.org/wiki/Offline_circulation_firefox_plugin
RM note: the IndexedDB jQuery plugin bundled with this patch is
copyright 2012 by Parashuram Narasimhan and other contributors and is
licensed under the MIT license. The home page for the plugin is
http://nparashuram.com/jquery-indexeddb/.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Comment: Works very well, no koha-qa errors
Test with Firefox 24.0
1) did some checkouts pre sync
2) synchronize database (Download)
3) go offline
4) Proceed to checkin some items from patron
5) Proceed to checkout items to patrons, setting date
6) Proceed to checkout to expired patron, warning appears
7) go online
8) Upload records
9) go to review transacctions and proceed
10) verified on patrons that checkin/out are done
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
