Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates various unrelated templates to use the Bootstrap
grid. In each case, confirm that the indicated page looks correct.
- Acquisitions -> Vendor -> Add to basket -> From a staged file.
- Logged-in user menu (in the upper right) -> Search history.
- With plugins disabled in koha-conf.xml, go to Tools -> Tools plugins.
- With the EasyAnalyticalRecords system preference set to 'Display,'
view a bibliographic record.
- Choose Edit -> Link to host item.
- Submit a barcode to be linked.
- Configure a MARC subfield (e.g. 100$a) to use the
unimarc_field_225a_bis plugin.
From the MARC edit page, trigger the plugin and confirm that the
page in the popup window looks correct. Confirm that changes made in
the popup window are saved to the corresponding field in the editor.
- Administration -> Funds -> Edit a fund.
- Click 'Select owner.'
- Search for a patron.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies the staff client label creator templates so that
JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of
each modified template: All button controls, DataTables functionality,
form validation, etc.
This patch also modifies the templates to use the Bootstrap grid instead
of YUI, and removes obsolete "text/javascript" attributes from
<script> tags and "text/css" attributes from <style> tags in the
modified templates.
To test, apply the patch and test the following interactions:
- Creating and managing layouts
- Creating and managing batches
- Creating and managing templates
- Creating and managing printer profiles
- Creating quick spine labels
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates several label creator templates to remove the use of
"onclick" in favor of defining click events in JavaScript.
Also changed:
- Replaced the non-existant element <icon> with <i>
- Removed the use of <center> and 'align="center"';
- In the item search results template:
- The use of the checkboxes jQuery plugin has been replaced with
straight jQuery for simplicity's sake.
- Output of table headers has been modified so that translatable
strings are in the template instead of having English strings
passed from the script.
- Moved the 'Add checked' and 'Done' buttons into a floating toolbar.
To test, apply the patch and go to Tools -> Label creator.
- Choose New -> Label batch
- Click 'Add items'
- Perform a search for items.
- Confirm that 'select all' and 'clear all' links work.
- Confirm that clicking an individual 'Add' button works.
- Select multiple items and click the 'Add checked' button. Confirm
that the selected items were added to your batch.
- Click 'Add items' again to save the selected items to your batch.
- Test that the 'Delete' and 'Export' buttons next to any item work
correctly.
- Choose Manage -> Label batches
- Test that the 'Delete' button works correctly.
- Select one or more batches and test that the 'Export selected'
button works correctly.
Revision: Removed changes to pagination in the item search results
template since it didn't work.
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Most of the scripts called via greybox (which uses iframe) don't include
doc-head-close. But some do.
This patch adds a popup parameter for these templates, not to include
the legacy browser trick and avoid the replacement of the location.
Test plan:
1/ Export patroncard and label
2/ translate itemtypes
3/ click on a idref link at the OPAC
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The tool is documented and accessed (via Tools >) as 'Label creator'. But the
pages titles say 'Labels' and the breadcumbs 'Labels home'. It should be called
'Label creator' for consistency. This patch changes the tt files so they are
consistent.
It also makes the title show the same page name as the breadcumbs.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Better wording for the meaning of 'Position' to prevent mistakes on behaviour.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
After talking to Owen we decided to use 2 classes for those modules. I decided on:
patroncard: tools, pcard
labels: tools, labels
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
The most visible change in this patch is the conversion of image-only
links to text links combined with icons. Other changes include
markup corrections and standardization and language corrections.
To test, go to Labels > Manage Batches. Select a batch and click
'Export' to see the revised interface.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>