To my understanding we need to escape first html chars then to JSON.
If this patch works we will need to rethink the 'To' TT plugin.
It was originally designed to have several escape methods, but with
these changes it will not make sense to name it 'To' if used only to
escape JSON
IIRC we should keep the 2 different ways to use it:
* [% To.json( string ) %]
* [% string | $To %]
otherwise it will be hard to use it when called in argument of
patron-title.inc (`git grep To.json`)
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
When someone uses \ in the description of a list, the datatable in staff
won't load and keeps processing.
Test plan:
- Create a list named "<script>alert('hola');</script>"
- Create another list named "k\o\h\a"
- Hit /cgi-bin/koha/virtualshelves/shelves.pl
=> Without this patch the lists will not be displayed, JSON is
malformated
=> With this patch everything is ok
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
No need to add a new line to escape this variable that is never used,
better to remove it
`git grep shelfoff` will prove that it is not used anywhere else.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
We should be on the safe side without this patch because shelfnumber and
type comes from the DB and are integer or varchar. It may be better to
show good examples to start, and escape everything anyway.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch removes the "|html" filter from some variable declarations in
the template used to display the list of lists in the staff client.
To test you should have at least one list. Apply the patch and go to
Lists.
In the table of lists, the "Edit" and "Delete" buttons should look
correct and work correctly.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
In the staff client, when viewing the content of a list, it can be sorted by 'title', 'author' or 'call number' but not by 'date added'.
This patch adds 'date added' as an option for default sorting of lists. It also makes it available as a sorting option while viewing lists.
Test plan:
In the staff client and the opac:
1) View a list containing several items
=> Notice that you can't sort by 'date added'
2) Try to edit the list or create a new one
=> Notice you can't choose date added as the default sort order
3) Apply the patch
4) When viewing the list you should now be able to sort by date added
=> Make sure it orders correctly
5) Edit or create a list and choose date added as default sorting order
=> Make sure it uses date added as default
=> On the staff client: test that the filter for 'sort by' works for date added
=> On the opac: test that, while viewing the contents, choosing 'default sorting' in the dropdown menu sorts correctly
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Just as we show this distinction in OPAC, this patch adds a type column
in the Your lists tab that displays Private or Shared. It always contains
Public in the other tab.
Test plan:
[1] Check if you see Shared for a private lists with shares in staff.
[2] Run t/db_dependent/Utils/Datatables_Virtualshelves.t
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of "onclick" from the list delete button,
moving the event definition into the script.
Also changed: Removed some unnecessary link markup; Added some
whitespace around the action buttons.
To test, apply the patch and go to Lists.
Click the "Delete" button next to any list. You should be prompted to
confirm the deletion. Verify that both confirming and canceling the
deletion works correctly.
Signed-off-by: Aleisha <aleishaamohia@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
1) Go to Lists
2) Confirm that actions (Edit and Delete) now show as font awesome buttons and work as expected for both Public and Private lists
Sponsored-by: Catalyst IT
NOTE: Pretty! :)
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Bug 14544: Fix redirect on editing a list
If you edit a list from the list view, after saving the form, you are
not redirected to the list view (but on the edit form).
Bug 14544: Cosmetic: › should be a class divider
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
The translation script adds quotes ("") around translated string (Edit
for instance).
Which breaks the json structure.
Example:
"dt_action": "<a style=\"cursor:pointer\"><form action='shelves.pl'
method='get'><input class="editshelf" value="Editar" type="submit"
/></form></a>"
Test plan:
1/ On the staff interface create a private list
2/ Go to More > Lists ('Your lists' tab)
3/ Translate the templates to any language like:
$ cd misc/translator/
$ perl translate install es-ES
4/ Enable the translated templates on the sysprefs
5/ Switch to the translated language
6/ Go to the lists page (Mas > Listas in es-ES)
The list should be displayed correctly.
Note: There is a limitation. If a translated string contains a simple
quote ('), it will also break the json.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Bug 13417 allows a librarian to delete any lists if he has the
permission (delete_public_lists).
There is a mismatch in the perm check.
A user can delete a list with the ability to edit (manage) it.
Test plan:
1/ Create a list A with user A
2/ Create a list B with user B
3/ A should be able to manage and delete the list A.
He cans delete B only if he is superlibrarian or has the
delete_public_lists permission.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
Test plan:
1/ Execute the updatedb entry
2/ Create a list
3/ Go on the shelve list and confirm that the creation and last
modification time are now displayed.
4/ Confirm that you are able to sort the list by creation/modification
time.
Applied on top of 13419 (rebased updatedatabase.pl)
Works as expected.
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Tested together with patch #1, works as expected
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adds DataTables using a server-side processing to display
lists (virtual shelves).
Test plan:
1/ Go on virtualshelves/shelves.p
2/ Play with the table functions (sort, filter, pagination, etc.)
3/ Go with the Public lists tab and verify the table is correctly
filtered.
Tested together with patch #2, works as expected.
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
