Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
1 - Apply patch and update dabase
2 - Check that Search the Catalog links throughout the staff interface
have not changed
3 - Set "IntranetCatalogSearchPulldown" to 'Show'
4 - Verify that 'Search the catalog' links through staff client now have
a dropdwon to select search index
I think viewing one file each that includes updated header should be
sufficient, but please check as many as you can:
cgi-bin/koha/admin/aqbudgetperiods.pl
cgi-bin/koha/admin/admin-home.pl
cgi-bin/koha/cataloguing/addbooks.pl
cgi-bin/koha/circ/returns.pl
cgi-bin/koha/circ/circulation-home.pl
cgi-bin/koha/admin/cities.pl
cgi-bin/koha/admin/aqcontract.pl
cgi-bin/koha/admin/currency.pl
cgi-bin/koha/mainpage.pl
cgi-bin/koha/tools/letter.pl
cgi-bin/koha/members/members-home.pl
cgi-bin/koha/admin/categories.pl
cgi-bin/koha/admin/preferences.pl
cgi-bin/koha/admin/printers.pl
cgi-bin/koha/serials/serials-home.pl
cgi-bin/koha/acqui/newordersuggestion.pl
cgi-bin/koha/admin/z3950servers.pl
Sponsored by:
Northeast Kansas Library System (http://nekls.org/)
Signed-off-by: Heather Braum <hbraum@nekls.org>
Signed-off-by: Barton Chittenden <barton@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of "onclick" from all header search forms for
the purpose of triggering the "keep_text" function. This behavior is now
handled in the globally-included JS file.
To test, apply the patch and clear your cache if necessary.
- Enter text in any header search form field. Click to each other tab
in the header and confirm that your text is copied to each.
- Test the behavior of the header search form on at least one page where
each is included:
- The staff client home page
- The advanced search page
- The authorities home page
- The administration home page
- The cataloging home page
- The checkin page
- The circulation home page
- The patrons home page
- Acquisitions -> Vendor -> Contracts
- Administration -> Cities
- Administration -> Currencies and exchange rates
- Administration -> Patron categories
- Administration -> Printers (why is this page still around?)
- Administration -> System preferences
- Administration -> Z39.50/SRU servers
- Tools -> Notices & slips
This patch modifies does not fix the existing (unreported) bug which
prevents the keep text function from working in the include file used on
these pages:
- Acquisitions -> Vendor -> Basket -> New order from suggestion
- Administration -> Budgets
- The serials home page
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
I have only changed this in the includes for the tabs at the top.
Dependent on Bug 12051 as that patch adds extra tabs to the top which would need to be changed later
To test:
1) Apply Bug 12051 first, then this patch
2) Ensure that Check Out/Check In/Renew tabs still work as they should
3) Check patch for errors or pages I've missed
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
To test:
Apply the patch and see that the text now is there in the search
box when clicking the tabs: check in, check out etc..
(More files changed for persistent text in searchbox)
Sponsored-by: Halland County Library
Signed-off-by: Magnus Enger <magnus@enger.priv.no>
This is something I have wanted quite a few times over the years...
Tested by going to every main area of Koha, entering some random
text into the search box and then clicking on all the available tabs
to check that the entered text is carried over to all the boxes.
There are a couple of places where text is not carried over, but I
guess that might be because one of the boxes is structurally
different to the others. These are:
- "Vendor search" and "Orders search" in Acquisitions
- "Search subscriptions" in Serials
I have not looked at how this is implemented, just that it works as
it should.
Bug 14189 refactor after failed QA.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Amended patch: replace tabs with spaces
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Some includes and templates contained duplicate "header" ids in
the markup. The problem should have come up in routine page
validation, but was obvious when custom CSS was applied.
To test, load any of the affected pages and validate the
generated HTML. There should be no errors about 'ID "header"
already defined." Or, add custom CSS to intranetusercss:
...and confirm that only the topmost menu background is affected.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Current jQuery-driven tabs are done using a very old
version of the tabs plugin. This patch upgrades jQueryUI
to the latest version and adds the tabs widget dependency
to the jqueryui js file and updates the syntax for existing
tabs:
- $("#foo > ul").tabs(); changes to $("#foo").tabs();
- Remove full URL from tab links (use #anchor only).
Pages with "static" tabs (tabs which are built in the
markup rather than generated by the plugin) have been
modified to use their own style. Examples: pay.tt in
the staff client and opac-readingrecord.tt in the OPAC.
Edit: Minor revision to some uncorrected markup
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
In order to facilitate a more painless process for converting
to jQueryUI I will submit separate patches for various "widgets,"
starting with Autocomplete.
This patch replaces all instances of YUI autocomplete with
a jQueryUI version. The patch includes an up-to-date version
of jQuery and jQueryUI libraries.
The patch also moves some markup in instances where it should
have been removed in favor of a different include.
To test, find the various autocomplete instances and confirm
that they are working:
- Circulation search header autocomplete
- Overdues patron attribute authorized value filter (must
have patron attributes enabled, and a patron attribute
defined which uses authorized values.
- Authorities search plugin. Edit a MARC record and use
an authorities plugin link to do a search for authority
records.
Incomplete: There is a YUI autocomplete instance in a UNIMARC
plugin (unimarc_field_210c_bis.tt) which I couldn't figure out
how to test, even on a sandbox set up with UNIMARC. I could use
help with a follow-up.
http://bugs.koha-community.org/show_bug.cgi?id=7447
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Passes all tests outlined, is quite pretty.
Passes t xt
Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
Omnibus of changes thus far:
adds slight transparency for news so logo shows through on mainpage..
Fixes purple header gradient in Chrome-based browsers.
remove list from returns.tt options so checkboxes do not have bullets.
fix missing gradient class on returns.tt.
reverse colors of menu div - blue for inactive, grey for active.
turns searchheader blue, rounds corners, improves spacing for sort form.
Adds padding, rounded corners, and a 1px border to the now-blue toolbar.
increase width of intranet nav div to width 40%
add a bit of padding to #searchheader
fieldset.action changes - removed background, added a little padding to make it look better in all of the uses I could find of it.
Bug 7998 - followup - make facets header background blue
bug 7998 - followup - fixing headers on search.pl to be blue, rounded.
bug 7998 - followup - consistency tweaks
match menu borders to the search header tabs (green border)
hover menus a very light grey instead of #eee.
make fieldset.brief have a consistent border with the rest of the fieldsets.
bug 7998 - followup - more tabs/borders updating to fit in new look
boraccount.pl
bug 7998 - followup - add gradient div to prefs-admin-search.inc
Bug 7998 - Change toolbar to be lighter, with barely discernible border
Will need to be applied after the other patch.
Bug 7998 - add gradient to roadtype admin panel
Bug 7998 - adds gradient to patrons-admin-search.tt
Bug 7998 - add gradient to budgets-admin-search.inc
bug 7998 - add gradient to z3950-admin-search.inc
Bug 7998 - add gradient to cities-admin-search.inc
bug 7998 - active tab on checkout table now has green border like side menu
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
String changes:
- Correcting tab name from "Search budgets" to "Seach funds"
- Changing search option from "Name" to "Fund code"
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Strings look a-ok.
This big patch, fix xhtml code, and user interface.
It Delete the term of budget period and use it as "Root Budget".
It add improvment on UI, adding tooltip, and table tree.
* budget period management
* budget management (budgets lines are defined for a given budget period)
budget_owner_search is the popup to select a librarian as budget owner