Commit graph

14 commits

Author SHA1 Message Date
125de75517 Bug 22600: Add 'cron' to interface types and set appropriately
This patch adds 'cron' as a valid interface and sets it appropriately for
existing cron scripts.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-04-10 19:43:11 +00:00
cd81bdc6a0 Bug 21526: Use the 'url' filter when needed
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2018-11-12 16:35:43 -03:00
5825026448 Bug 21526: uri escape TT variables when used in 'a href'
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 17:09:57 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Stefan Weil
63c1589685 Bug 14383: misc: Fix some typos in comments and documentation
Most of them were found and fixed using codespell.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-06-22 17:34:45 -03:00
Colin Campbell
607b224f00 Bug 13591: Pass OPACBaseURL to rss creation process
Links in rss templates were hardcoded to library.org.nz. Should pass and
use the system's OPACBaseURL.

Tested and verified.

Signed-off-by: Eivin Giske Skaaren <eskaaren@yahoo.no>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-05-15 16:11:07 -03:00
Bernardo Gonzalez Kriegel
fe0709477a Bug 9000: Followup to fix tabs & closing TT directive
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-29 16:25:56 -03:00
1e9263cb5c Bug 9000 [4] - Update to GPL v3
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-29 16:25:47 -03:00
2da15b6435 Bug 9000 [3] - Change conf key from tmpl to template
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-29 16:25:37 -03:00
f159ad9b2b Bug 9000 [2] - Update included examples
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-29 16:25:28 -03:00
80884faa22 Bug 9000 [1] - Update rss.pl to use Template Toolkit
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Tested using script with sample conf files
RSS feeds generated are 'well formed' xml
Some koha-qa errors fixed in followup

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-07-29 16:25:19 -03:00
Katrin Fischer
9f688ad92b Bug 5370: Fix all references to koha.org
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2010-11-08 09:41:47 +13:00
Lars Wirzenius
87d845969e Fix FSF address in directory misc/
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-03-16 20:17:54 -04:00
Galen Charlton
f74d63a1e5 bug 2864 [2/2]: move rss/* to misc/cronjobs/rss/*
As rss.pl is not a CGI script, moved it to join the
other cronjobs.  Full documentation of the script
is in misc/cronjobs/rss/rss.pl, but to summarize:

[1] rss.pl is run on the command line to produce
    an RSS XML document.  The output should be
    placed in a directory accessible to the OPAC
    (or staff) web interface so that users can download
    the RSS feed.  An example of usage:

    misc/cronjobs/rss.pl lastAcquired.conf

    Normally rss.pl should be run periodically (e.g., daily)
    to keep the feed up-to-date.

[2] The configuration file (e.g., lastAcquired.conf) lists

    * name of the template file to use
    * path of output file
    * SQL query

    rss.pl runs the SQL query, then feeds the output of the
    query through the template to produce the output file.

[3] The template file (e.g., lastAcquired.tmpl) uses
    HTML::Template syntax like any of the HTML
    templates for the web interface.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
2008-12-17 08:02:34 -06:00