Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch makes a third stab at resolving this issue by reorganizing
the authorities toolbar buttons to more closely match the bibliographic
toolbar buttons:
- "New from Z39.50" has been added to the "New authority" dropdown.
- "Edit" is now a dropdown, like on the bibliographic detail page:
- Edit record
- Edit as new (duplicate)
- Replace record via Z39.50/SRU
- Delete record
To test, apply the patch and go to the authorities module. Testing with
existing Z39.50 authority sources configured:
- On the authorities home page and the authorities search results
page, the "New authority" menu should have a "New from Z39.50" link.
- View the details for an authority record. The menus should appear as
described above. Test each option.
Remove all Z39.50 authority servers and test again. The "New from
Z39.50" link should no longer appear.
Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies even more staff client authorities templates so
that JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
- Authorities
- New from Z39.50
-> Search
-> Results
- New from Z39.50
- Deletion confirmation
- Merge records -> Merge
- Tabs
- Tag selection
-> Authority detail
- Tabs
- Deletion confirmation
- New from Z39.50
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Attempting to merge authorities results in the following error:
Uncaught SyntaxError: Unexpected token u authorities-home.pl:284
showMergingInProgress authorities-home.pl:284
(anonymous function) authorities-home.pl:297
o jquery.js:2
p.fireWith jquery.js:2
e.extend.ready jquery.js:2
c.addEventListener.B
This was the result of the upgrade of jquery-cookie by the patch
for bug 11369; newer versions of jquery-cookie changed the return of
$.cookie('foo') from null to undefined when the cookie is not present.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No test plan, no errors.
Test
1. search some authorities
2. click merge, on browser dev console pops reported error message
'Unexpected token u authorities-home.pl...'
No way to marge auths
3. with pach applied, merging works again
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch rewrites authorities_js.inc so translate
script will process it correctly. To do that I added
<script></script> at the file
To test:
1) Update po files for your preffered language
2) Check occurrence of mergeAuth on staff PO file
or try
egrep -n "Merging with authority: |Cancel merge"
strings appear in a JS func
3) Apply the patch
4) Update translations again, check again, old
strings now begin with #~ (obsoleted) and there
are new entries for the messages
5) Check functionality provided by script
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described and fixes a translation difficulty.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch gives Koha the ability to merge authority records using the
same interface used by bibliographic records, though slightly different
methods for selecting which records to merge. The two ways to select
records are as follows:
1) Records can be selected from authority search results by clicking
the "Merge" link for two records.
2) Authority records can be merged from the reservoir by clicking the
merge-related links in the Manage staged MARC batch screen.
To test:
1) Apply patch.
2) Do a search for an authority record that will turn up multiple
identical records (or at least two records that you don't mind
merging).
3) Click the "Merge" link for the first record.
4) Click the "Merge" link for the second record.
5) Choose which fields from which record you want to appear in the
resulting record.
6) Confirm that those are the fields that exist in the resulting record.
7) Stage an authority record (for example, an authority record you
saved from your catalog.
8) Search for a record to merge with it using the "Search for a record
to merge in a new window" link.
9) Merge these records, confirming that the resulting record (after
going through the entire merging process) matches your expectations.
10) Set up a matching rule for authorities, and export an authority from
your catalog that will match based on that rule. For MARC21, the
following is a good choice for a rule:
Matching rule code: AUTHPER
Description: Personal name main entry
Match threshold: 999
Record type: Authority record
[Match point 1:]
Search index: mainmainentry
Score: 1000
Tag: 100
Subfields: a
11) Stage the record you just exported, choosing the matching rule you
just created.
12) Merge the record using the "Merge" link, confirming that the
resulting record (after going through the entire merging process)
matches your expectations.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Testing notes on last patch in series.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
