Commit graph

173 commits

Author SHA1 Message Date
c931804171 Bug 30524: Core CSRF checking code
Split out from bug 22990 as requested.

Signed-off-by: David Cook <dcook@prosentient.com.au>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit aba9e61cfbab1e915f1be4a527b5708b9ec59c35)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2023-07-28 09:12:39 -10:00
866d10d416
Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl )
There appears to be a cross site scripting attack vulnerability in opac-authorities-home.pl, but may be accessible from any page using C4::Output::pagination_bar.

https://MYKOHA.LOCAL/cgi-bin/koha/opac-authorities-home.pl?and_or=and%27%22()%26%25%3Csad%3E%3CScRiPt%20%3Ealert(document.domain)%3C/ScRiPt%3E&authtypecode=CORPO_NAME&excluding=1&marclist=all&op=do_search&operator=contains&orderby=HeadingAsc&type=opac&value=1

Test Plan:
1) Use the URL above to show the XSS vulnerability exists
2) Apply this patch
3) Restart all the things!
4) Reload the page, no XSS vulnerability!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-07-25 11:18:11 -03:00
Blou
10e657e8b7 Bug 30115: Uninitialized value warning in C4/Output.pm
Use of uninitialized value $url_suffix in concatenation (.) or string at GIT/C4/Output.pm line 180.
Use of uninitialized value $url_suffix in concatenation (.) or string at GIT/C4/Output.pm line 197.
Use of uninitialized value $url_suffix in concatenation (.) or string at GIT/C4/Output.pm line 211.

This is in pagination_bar sub.  A lot of pages call it.  For me it
happened with any Authority search (authorities/authorities-home.pl)
producing multiple results.

Simple fix is initializing the variable.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2022-02-21 15:15:47 -10:00
9d6d641d1f Bug 17600: Standardize our EXPORT_OK
On bug 17591 we discovered that there was something weird going on with
the way we export and use subroutines/modules.
This patch tries to standardize our EXPORT to use EXPORT_OK only.

That way we will need to explicitely define the subroutine we want to
use from a module.

This patch is a squashed version of:
Bug 17600: After export.pl
Bug 17600: After perlimport
Bug 17600: Manual changes
Bug 17600: Other manual changes after second perlimports run
Bug 17600: Fix tests

And a lot of other manual changes.

export.pl is a dirty script that can be found on bug 17600.

"perlimport" is:
git clone https://github.com/oalders/App-perlimports.git
cd App-perlimports/
cpanm --installdeps .
export PERL5LIB="$PERL5LIB:/kohadevbox/koha/App-perlimports/lib"
find . \( -name "*.pl" -o -name "*.pm" \) -exec perl App-perlimports/script/perlimports --inplace-edit --no-preserve-unused --filename {} \;

The ideas of this patch are to:
* use EXPORT_OK instead of EXPORT
* perltidy the EXPORT_OK list
* remove '&' before the subroutine names
* remove some uneeded use statements
* explicitely import the subroutines we need within the controllers or
modules

Note that the private subroutines (starting with _) should not be
exported (and not used from outside of the module except from tests).

EXPORT vs EXPORT_OK (from
https://www.thegeekstuff.com/2010/06/perl-exporter-examples/)
"""
Export allows to export the functions and variables of modules to user’s namespace using the standard import method. This way, we don’t need to create the objects for the modules to access it’s members.

@EXPORT and @EXPORT_OK are the two main variables used during export operation.

@EXPORT contains list of symbols (subroutines and variables) of the module to be exported into the caller namespace.

@EXPORT_OK does export of symbols on demand basis.
"""

If this patch caused a conflict with a patch you wrote prior to its
push:
* Make sure you are not reintroducing a "use" statement that has been
removed
* "$subroutine" is not exported by the C4::$MODULE module
means that you need to add the subroutine to the @EXPORT_OK list
* Bareword "$subroutine" not allowed while "strict subs"
means that you didn't imported the subroutine from the module:
  - use $MODULE qw( $subroutine list );
You can also use the fully qualified namespace: C4::$MODULE::$subroutine

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-07-16 08:58:47 +02:00
3fe837bc74 Bug 28572: Remove C4::Debug
We are using Koha::Logger when it makes sense to keep the info,
otherwise we simply remove it

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Bug 28572: Replace missing occurrence in misc/admin/koha-preferences

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-06-22 12:04:32 +02:00
Katrin Fischer
f090c1d2cb Bug 11994: OpenSearch plugins needs to be delivered with Content-Type application/opensearchdescription+xml
https://developer.mozilla.org/en-US/docs/Web/OpenSearch
Your server should serve OpenSearch plugins using
Content-Type: application/opensearchdescription+xml.

To test:
- Verify the Content-Type the file is delivered with
  is correct, for example using wget
  http://127.0.0.1:8080/cgi-bin/koha/opac-search.pl?format=opensearchdescription

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2020-06-24 14:31:37 +02:00
c951f8e06a
Bug 24369: Add CORS support to output_with_http_headers()
This patch adds CORS support to output_with_headers(). It will use the
AccessControlAllowOrigin syspref to pick the value and set the Access-Control-Allow-Origin header.

To test:
1. Apply this patch
2. Run:
   $ kshell
  k$ prove t/Output.t
SUCCESS: Tests pass!
3. Sign off :-D

Signed-off-by: Andrew Isherwood <andrew.isherwood@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-03-05 12:59:44 +00:00
dc5fe323d2
Bug 24217: use Modern::Perl for modules when strict is missing
We absolutely need that for modules.
We are enabling strict by using Modern::Perl.
Note that other modules from C4 use strict and warnings, instead of
Modern::Perl

Test plan: git grep 2505 **/*.pm should not return any results

And let's see later what needs to be fixed.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2020-01-03 10:45:46 +00:00
7fa1cde78e
Bug 23329: Move error page to its own subroutine
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-11-27 11:30:19 +00:00
62ae7ac727
Bug 23117: Shortcut additem.pl on nonexistent biblionumber
To prevent additem.pl to crash when called with a nonexistent
biblionumber we are here implementing the blocking_error.inc trick to
display a friendly message instead.

Can't call method "fields" on an undefined value at
/home/vagrant/kohaclone/cataloguing/additem.pl line 736.

Test plan:
hit
/cataloguing/additem.pl?biblionumber=
/cataloguing/additem.pl?biblionumber=424242
You will get a friendly "Bibliographic record not found." message,
instead of a 500

Signed-off-by: Bin Wen <bin.wen@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-06-15 08:01:37 +01:00
f021ca30a5 Bug 22478: Prevent XSS vulnerabilities when pagination appears
This is a bad one as we thought we were XSS safe since bug 13618.

The html code generated in C4::Output::pagination_bar must escape the
variables and values correctly.

This patch needs to be widely tested, everywhere the pagination appears,
to make sure we will not introduce regressions.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-02 13:40:26 +00:00
ef58eff737 Bug 20661: (QA follow-up) Add POD for output_and_exit
Resolve:
 FAIL   C4/Output.pm
   FAIL   pod
                *** ERROR: Apparent command =cut not preceded by blank line  in file C4/Output.pm
   FAIL   pod coverage
                POD is missing for output_and_exit

Test plan:
Run QA tools again.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-10 12:23:03 +00:00
ff21352a4a Bug 20661: Shortcut circ scripts if a blocking error appeared
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
No test plan found ;)
But tested bookcount and request-article.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-10 12:23:03 +00:00
5c3ead6ecd Bug 20422: Fix warning on uri_escape_utf8 in Output.pm
When opac-details calls parametrized_url, it triggers an uninitialized
warning when you would have a record without e.g. author, like:
    Use of uninitialized value in subroutine entry at /usr/share/perl5/URI/Escape.pm line 184.

This is (imo) actually a bug in URI::Escape; it should check its args.
But we resolve the warning here by adding the "// q{}" in parametrized_url.

NOTE: Along the way we do something similar in the arrParamsBusc loop.
If the variable is undefined, jump to the next one. (Consistent with the
approach in the if-part preceding it.)

Test plan:
[1] Run t/Output.t again. Should pass now.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-26 17:31:13 -03:00
c15abaeda9 Bug 18403: Fix POD for C4::Output::output_and_exit_if_error
xt/author/podcorrectness.t
C4/Output.pm (310): Expected text after =item, not a bullet

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 18:02:01 -03:00
d433a4dc3d Bug 18403: Add POD for output_and_exit_if_error
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:42 -03:00
cee2cf9ff9 Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"

Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.

Changes in discharge.pl are mainly indentation changes.

With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:38 -03:00
798d38e4c7 Bug 16011: $VERSION - Remove comments
perl -p -i -e 's/^.*set the version for version checking.*\n//' **/*.pm

+ manual adjustements

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-03-24 17:20:29 +00:00
017699c345 Bug 16011: $VERSION - Remove the $VERSION init
Mainly a
  perl -p -i -e 's/^.*3.07.00.049.*\n//' **/*.pm
Then some adjustements

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-03-24 17:20:28 +00:00
3830d78d46 Bug 16011: $VERSION - remove use vars $VERSION
perl -p -i -e 's/^(use vars .*)\$VERSION\s?(.*)/$1$2/' **/*.pm

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-03-24 17:20:26 +00:00
fb167c0e4b Bug 15111: Change X-Frame-Options with SAMEORIGIN
There are some places where frames are used, the greybox JS plugin for
instance.

We need either to allow them from Koha or replace this plugin.
The easier for now is to switch the value from DENY with SAMEORIGIN.

Test plan:
- modify a record in a batch (tools/batch_record_modification.pl)
- click on preview marc
=> With only the previous patch you will get a blank page.
=> With this patch apply, it will work as expected.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-03-14 16:30:08 +00:00
dc03bca76c Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks
Web pages that can be embedded in frames are vulnerable to cross-frame
scripting attacks. Cross-frame scripting is a type of phishing attack
that involves instructions to an unsuspecting user to follow a specific
link to update confidential information in an online application.
Because the link leads to a legitimate page from the online application
that is embedded in a frame hosted by the attackers' server, the
attackers can capture all the information that the user enters.

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-03-14 16:30:08 +00:00
6f75aa11ff Bug 14544: Make the intranet side independent of Page.pm
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-11-05 09:58:01 -03:00
6c30d31af7 Bug 15005: Fix pagination_bar calls
Test plan:
Create an order for an existing biblio, confirm that the pagination links work correctly.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-19 09:36:43 -03:00
Marc Véron
5dceb851dd Bug 13813: Remove deprecated module C4::Dates from system
Test plan: See Bugzilla.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
2015-09-18 12:40:55 -03:00
Jonathan Druart
a6c9bd0eb5 Bug 9978: Replace license header with the correct license (GPLv3+)
Signed-off-by: Chris Nighswonger <cnighswonger@foundations.edu>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

http://bugs.koha-community.org/show_bug.cgi?id=9987

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-20 09:59:38 -03:00
Jonathan Druart
b678301e46 Bug 13684: C4::Budgets should not be used in C4::Output
Bug 12844 removed the call to C4::Budgets::GetCurrency.
The use of this module can be completely removed from C4::Output.

Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
It makes sense and no runtime errors found.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
2015-02-16 23:36:40 -03:00
Jonathan Druart
ed7221102f Bug 12845: C4::Output::FormatData can be removed
Test plan:
  git grep FormatData
should not return any result in pl and pm files.

Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-17 10:26:21 -03:00
Jonathan Druart
55107741a2 Bug 11944: replace use of utf8 with Encode
See the wiki page for the explanation.

Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-01-13 13:06:45 -03:00
Jonathan Druart
8a2d765769 Bug 12844: Remove the C4::Output::FormatNumber subroutine
This subroutine is now useless.

Test plan:
  git grep FormatNumber
should not return any result in pl and pm files.

Signed-off-by: Paola Rossi <paola.rossi@cineca.it>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-27 12:56:19 -03:00
Galen Charlton
7b165794cd Bug 10016: force zero browser-side caching of SCO pages
This patch makes the web-based self-check module pages
specify that no browser (or proxy caching) occur at all.
This prevents a security issue where letting the SCO session time out,
then hitting the back button allowed one to view the previous
patron's session.

This patch adds an optional fifth parameter to output_with_http_headers(),
and output_html_with_http_headers(), a hashref for miscellaneous
options.  One key is defined at the moment: force_no_caching, which if
if present and set to a true value, sets HTTP headers to specify no
browser caching of the page at all.

To test:

[1] Start a web-based self-check session and optionally perform
    some transactions.
[2] Allow the session to time out (it may be helpful to set
    SelfCheckTimeout to a low value such as 10 seconds).
[3] Hit the back button.  You should not see the previous patron's
    self-check session.
[4] Verify that prove -v t/Output.t passes.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ed Veal <ed.veal@bywatersolutions.com>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-10-21 18:05:12 +00:00
Galen Charlton
92f289e9a1 Complete revert of 6554
One line wasn't caught by the initial revert.  Thanks to
Jonathan Druart for catching this.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-05-03 07:58:50 -07:00
Galen Charlton
94508a5c3d Revert "Bug 6554 QA Followup"
This reverts commit 686fdae32c.

Rolling back bug 6554 work until we have more comprehensive tests.
2013-04-29 15:17:06 -07:00
686fdae32c Bug 6554 QA Followup
Removing binmode, now encoding data in output_with_http_headers.
Replaced output_string by output_as_chars in XSLTParse4Display.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No errors.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-04-01 18:51:49 -04:00
Dobrica Pavlinusic
d542740ab8 Bug 6554 - make Koha internally utf-8 clean
In current implementation (mostly commented out in this patch)
uses heuristic to guess which strings need decoding from utf-8
to binary representation and doesn't support utf-8 characters
in templates and has problems with utf-8 data from database.

With this changes, Koha perl code always uses utf-8 encoding
correctly. All incomming data from database is allready
correctly marked as utf-8, and decoding of utf8 is required
only from Zebra and XSLT transfers which don't set utf-8 flag
correctly.

For output, standard perl :encoding(utf8) handler is used
so it also removes various "wide character" warnings as side-effect.

Test scenario:
1. make sure that you have utf-8 characters in your biblio
   records, patrons, categories etc.
2. try to search records on intranet and opac which contain
   utf-8 characters
3. install language which has utf-8 characters, e.g. uk-UA
   dpavlin@koha-dev:/srv/koha/misc/translator(bug_6554) $
   PERL5LIB=/srv/koha/ perl translate install uk-UA
4. switch language to uk-UA and verify that templates
   display correctly
5. test search and Z39.50 search and verify that caracters
   are correct

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

I followed the test plan, adding utf-8 characters to library names,
patron categories, titles, and authorized values. I tried the uk-UA
translation and everything looked good.

When performing Z39.50 searches for titles containing utf-8 characters I
got results which were still occasionally contaminated with dummy
characters [?] but I assume this is Z39.50's fault not the patch's.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Already signed, add mine.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-04-01 18:51:49 -04:00
Fridolyn SOMERS
e343165cf6 Bug 9504: URL escape in OPAC more searches
OPACSearchForTitleIn is a syspref used to add links as "more searches" in OPAC record detail page.
The links can contain vars depending on record values like title, ISBN, ...
Thoses values must be URL-escaped because they can contain special characters that will brake URL and/or HTML.

This patch add a method C4::Output::parametrized_url() that replaces vars in URL usign escape and UTF-8 encoding.

Test plan :
- Define in OPACSearchForTitleIn a link with all possible vars : TITLE, AUTHOR, ISBN, ISSN, CONTROLNUMBER, BIBLIONUMBER
- Edit a record to add special characters in title : ", &, ? ...
- Go to OPAC detail pages of this record
=> Check that URL is well encoded
=> Click on link to check the term is well encoded (diacritical characters, ...)

Signed-off-by: Liz Rea <liz@catalyst.net.nz>
Nice test plan, thanks!

Verified bug and fix - both look good.
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-03-20 08:36:44 -04:00
7b09ce3a22 Bug 6679 - [SIGNED-OFF] fix 3 perlcritic violations in C4/Output.pm
"return" statement with explicit "undef" at line 128, column 74.  See page 199 of PBP.  (Severity: 5)
Subroutine prototypes used at line 270, column 1.  See page 194 of PBP.  (Severity: 5)
Subroutine prototypes used at line 308, column 1.  See page 194 of PBP.  (Severity: 5)

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
2012-09-20 12:01:38 +02:00
Jared Camins-Esakov
33113e69c0 Bug 8622: Fix theme fallback
This patch does the following:
1) Enables fallback for includes between different themes and different
   languages (with the exact same precedence as for .tt files)
2) Enable fallback for XSLT files between different themes and different
   languages (again, same precedence)
3) Change the semantics of the TT [% themelang %] variable so that it always
   refers to the preferred theme and language, rather than the fallback
   theme/language. As a result, all themes must include all javascript,
   css and image resources they use.

Note that these changes actually have no impact whatsoever on an
installation where the default (prog) themes are in use.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-09-05 11:39:14 +02:00
Jonathan Druart
a6c93961b1 Bug 7302: Export basketgroup as CSV
Adds new action export for basketgroup.
This action is available only if your basketgroup is closed.
This export generates a csv file with order informations.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Tested together with bug 5356.
2012-07-24 18:22:06 +02:00
Chris Cormack
509d673f10 Bug 7941 : Fix version numbers in modules
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-06-11 17:29:38 +02:00
7eef4c8c70 Bug 5668 - Star ratings in the opac
patch applied to commit eb3dc448d2

Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>

Turned on star ratings in the opac on details and results
Searched for titles - saw the stars
Clicked on a title
Clicked on the stars
Clicked on the stars to change my rating
Logged out
Tried to click on stars
Logged in as different user
Rated items that were rated already and saw average change
Changed preference to show only on detail and repeated tests
Changed preference to now show stars

All above tests passed. Signing off.

Rebased 3-19-12 by Ian Walls

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-04-10 14:40:49 +02:00
D Ruth Bavousett
bbfaf8264c Bug 7535: ampersands not showing properly in non-XSLT OPAC
Jared's fix for Bug 3326 fixed this in the staff client, but not the OPAC; moving this one line fixes it
both places.

Signed-off-by: Liz Rea <wizzyrea@gmail.com>
This can be replicated by indexing with -x
OPACXSLTResults must be set to "normally"
Reproduced original bug with rebuild-zebra.pl -x -b -w -r -v -v
Patch corrects the issue, does not change intranet behavior.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-02-21 15:45:11 +01:00
d785d9d57d Bug 6098 Followup -- doesn't replace NSB/NSE by space
On any page, NSB/NSE characters are replaced by space in Output.pm. It isn't a
good thing:

  - It isn't necessary since Zebra indexer handle properly those characters as
    delimiter.
  - It isn't necessary for display since XSL file already do that.
  - It isn't efficient since a regex is done on every whole page sent by Koha,
    not only on biblio record part.
  - It removes an information that librarian want to keep in their biblio
    records: any record edited in Koha loose its NSB/NSE characters.

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-01-13 11:21:48 +01:00
Ian Walls
c70ff88205 Bug 2616: Remove unnecessary 'use HTML::Template' calls
Removes deprecated calls to HTML::Template or HTML::Template::Pro from:
C4/Output.pm
catalogue/export.pl
reports/issues_by_borrower_category.plugin
reports/itemtypes.plugin

Only remaining calls are in misc/cronjobs/rss/rss.pl, misc/cronjobs/smsoverdues.pl,
and t/test_template.pl.  These scripts still legitimately depend on H:T:P

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2011-12-06 11:34:05 +01:00
Chris Cormack
8e7b163608 Bug 6755 follow up, fixing broken POD 2011-09-23 11:33:00 +12:00
6b8be20497 Bug 6755 Problems with switching languages
This patch solves the situation that news is in another language than
the Koha interface AND makes that themelanguage routine is always called
the same way in order to prevent mixed display.

It fixes also a bug related to language preselection based on web
browser prefered language.

September 9: Adjusted with input of Frederic Demians.

Septembre 10: Avoid circular dependency, as pointed by Chris Cormack.
Templates related functions are moved from C4::Output to C4::Templates

Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-09-23 09:47:09 +12:00
Chris Cormack
7efaafe132 Bug 6085 : Fixing the utf8 weirdness
I am not very happy with this fix, but it does mean the template are
translatable and we don't get double encoding issues with them anymore

Please test

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-11 16:01:59 +12:00
Chris Cormack
5a23a45e32 Bug 6085 : utf8 fixed for xslt, and parameters, broken for utf8 included in templates
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-11 12:58:05 +12:00
Chris Cormack
82f0fee5c8 Bug 5917 : Fixing a bug with switching languages
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-10 22:58:08 +12:00
Chris Cormack
d4cd05126d Bug 5917 / Bug 6085 : Fixing not being able to change language 2011-04-10 20:22:55 +12:00