See patch on bug 21576 comment 14
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Caused by bug 18403.
From patron-title.inc, we need a IF instead of UNLESS.
Test plan:
Create organizations
Search for patrons
=> Without this patch the "Name" column is empty for organizations
=> With this patch applied you will see the surname (and othernames if
exists)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
There should be a space between patron name and cardnumber on the check
out screen.
This patch adds a space between patron and cardnumber.
To test:
1 type a patron name into the check out search or go to the check out
tab from a patron record
2 Confirm there is no space between patron name and cardnumber on the
check out page
3 apply patch
4 confirm there is now a space
5 sign off :)
Signed-off-by: Sebastian Hierl <s.hierl@aarome.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
== Test plan ==
1. go/cgi-bin/koha/members/members-home.pl
2. search "a"
3. result never display
4. apply patch
5. search "a"
3. result display
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There is already a HidePatronName syspref to hide patron's information
on bibliographic
record detail pages and the hold list.
Test plan:
With the HidePatronName enabled, make sure the patron's information are
hidden from
the catalogue and hold list pages. If the logged in user is not allowed
to see the
patron's info, no link and no cardnumber will be displayed
With he HidePatronName disabled, make sure the patron's information are
displayed
if the logged in user is allowed to see the patron's info.
Technical note:
This patch improves the existing patron-title.inc include file to
display patron's
information. Using it everywhere patron's details are displayed will
permit to
homogenise the way they are displayed. The file takes now a patron
object (what
should be, in the future, the only way to use it), that way we can call
the new
method on it to know if patron's information can be shown by the logged
in used.
NOTE: I am not sure this syspref makes sense anymore. Should not we
remove it?
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Modified pages:
circ/circulation.pl
circ/circulation_batch_checkouts.pl
members/boraccount.pl
members/files.pl
members/holdshistory.pl
members/housebound.pl
members/moremember.pl
members/notices.pl
members/purchase-suggestions.pl
members/readingrec.pl
members/routing-lists.pl
members/statistics.pl
Test plan:
0) Do not apply the patch
1) Have a patron with title/salution filled in
2) Confirm bug, go for example to circ/circulation page and see there is
html in <title> tag (you can see it in your browser page/window title)
3) Apply the patch
4) Go through circulation/patron pages (see modified page above) and
confirm there is no html in <title> tag, but on the page itself the
salutation should be in <span class="patron-title">
Signed-off-by: David Bourgalt <david.bourgault@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There are other scripts where the borrower variable is not defined and
the fields are passed one by one.
To have a consistent behaviour we should add the title at the different
places.
Note that this script also add the use of the include file for
statistics.tt and remove the pass of parameters to the template, already
done later:
99 $template->param(%$borrower);
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There are certainly hundred of places where they are not escaped...
Test plan:
Create a patron with "Arun <script>alert('code injection');</script>" in
some of the fields.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This patch removes double patron card numbers from patron search results.
To test:
Search patrons
See card number 12345 in first column and in second column like Testman, John (12345)
Apply patch
Patron card number no longer dispays in second colum
Further testing:
Search for other places in intranet where patron-title.inc is used (git grep 'patron-title.inc')
The card number still should display at the other places.
Signed-off-by: Chris <chris@bigballofwax.co.nz>
http://bugs.koha-community.org/show_bug.cgi?id=8096
Signed-off-by: Chris <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch add DataTables using server-side processing for the patrons
search.
It adds:
- 1 module C4/Utils/DataTables/Members.pm
- 2 services svc/members/search and svc/members/add_to_list
- 1 template members/tables/members_results.tt
- 1 new practice which is to add template for DataTables in a
subdirectory named 'tables'.
Impacted scripts: members/members-home.pl and members/members.pl
To go further: We can imagine that all patrons searches use the same
service with no big changes: 1 little template creates a JSON file and
to implement DataTables on the template page, that's all.
Amended patch: Since bug 10565 has been pushed, these patches don't
apply cleanly. I had to rewrite a part of the patron list feature.
I removed the choice to add all resultant patrons from a search. I think
this choice is useless with this patch: we are able to display the
number of patrons we want and to select all of them.
Test plan:
- Check that there is no regression on searching patrons.
- Try filters on the left of the screen.
- Try to sort each column.
- Try the "Browse by last name" links.
- Check that the "Clear" button clears yours filters.
- Try with IndependantBranches ON and OFF.
- Verify this feature does not break the patron list feature (cf bug
10565).
Signed-off-by: Cedric Vita <cedric.vita@dracenie.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script, couldn't find any regressions
or problems. Some notes left on the bug.
Bug 9811: Add unit tests for C4::Utils::DT::Members
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Bug 9811: QA followup
- removes 2 tabs
- removes mysqlisms
- add sort on borrowernotes
- fix wrong capitalization
- cat => Category
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Thx for fixing these!
Bug 9811 - multilines notes brakes JSON
In new patron search feature, the search results are fetched using Ajax and returned in JSON format.
The JSON is created by TT using koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt.
One of the fields is the borrower notes. When this notes contains several lines, the JSON is broken.
This patch uses TT fileters to consert in notes linefeeds into HTML line break (html_line_break) and then remove linefeeds (collapse).
Test plan :
- perform a member search that does not return a borrower with a circ note
- edit one of the borrowers returned by this search
- enter serveral lines of text in "Circulation note" and save
- reperform the member search
=> circ note is well displayed on several lines
Bug 9811: use count(primary_key) instead of count(*)
Bug 9811: A limit clause should be always added.
By default, we want to retrieve 20 first results.
Bug 9811: Load the page without any data.
Displaying the first 20 patrons is not useful. With this patch, the
table is hidden and no record is retrieved by default.
On the same way, the existing side effect on redirect disappears.
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
-------------
-TEST REPORT-
-------------
For the filter: Tested all the search fields, branches, search type.
Found a bug with "date of birth", followup provided.
Tested display limits and verified that AJAX-queries are
efficient (using LIMIT clause) to not stress DB needlessly.
Tested adding Patrons to a list.
A good feature, which seems to work quite well.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Adding my test plan to the last patch of this bug.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adds other name to the include which is used
to display patron names and adds this include in several
places where it can be used in place of direct output.
The patron-title include has been modified to handle the
two possible variable scopes throughout patron-related
templates. This is a hack similar to having both
circ-menu.tt and circ-menu.inc, but keeping both in the
same file.
Changes to some scripts were necessary to make the
othernames variable available to the include.
This patch also corrects some <title> tags and fixes
some incorrect capitalization (see Bug 2780).
To test, view each of the pages affected by these
template changes and confirm that the patron's name
displays correctly, including their "other name."
Signed-off-by: Marc Veron <veron@veron.ch>
Followed instructions above, works as expected.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Bug 6303 introduced an include file governing patron name display
unfortunately that changed patron display in search result lists and
on the circ screen header. This adds a parameter restroring the
original surname, firstname order, whose absence was perceived
as a loss of functionality
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as advertised, doesn't affect display for non-organisational patrons.
Note: Display change in OPAC only affects the summary tab.
It would be a little bit more consistent to make the name show the
same on all tabs in OPAC patron account.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
I repeated Katrin's signoff here (with permission). The patch only changed for some minor rebasing and cosmetic QA requests. Passed QA now.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
