To test:
1 - Enable sysprefs
DumpTemplateVarsOpac
DumpTemplateVarsIntranet
2 - View some pages on staff client and opac
3 - View the page source
4 - See a large mass of comments including the page vars at the top of the source
5 - Refresh page and note order of vars changes
6 - Apply patch
7 - View page source on some pages and note things are much easier to read
8 - Refresh page and note variable order does not change
Signed-off-by: George Williams <george@nekls.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
DumpTemplateVarsIntranet and DumpTemplateVarsOpac are devs tools to
display the variables sent to the template. They should not be filtered
otherwise it's getting complicate to read.
For instance: $VAR1 = { var => val }
Test plan:
Turn DumpTemplateVarsIntranet on
Go to the main page
Show the source of the page
Confirm that the variable are displayed as it and not filtered
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
TEST PLAN
---------
1) Install first two patches
2) do not install, or uninstall Template::Plugin::Stash
3) Upgrade to make sure system preference is added.
4) Set the system preference to turn it on for Staff and OPAC
5) Refresh staff -- kaboom
6) Load OPAC -- kaboom
7) Apply this patch
8) Reload staff and OPAC
-- nice HTML comment about what is wrong.
9) run koha qa test tools.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Neat, runs well. Tested with/without sysprefs and Template::Plugin::Stash
No koha-qa errors
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
It would be incredibly helpful if we could easily enable Koha to dump
all Template Toolkit variables to a comment for debugging purposes.
Test Plan:
1) Apply this patch
2) Run updatedatabase
3) Enable the new system preferences DumpTemplateVarsIntranet and
DumpTemplateVarsOpac
4) Load a page in the staff intranet, view the html source
5) Note the template toolkit variables are embedded in an html comment
6) Load a page in the opac, view the html source
7) Note the template toolkit variable are embedded in an html comment
NOTE: I had to cpan2deb Template::Plugin::Stash to test.
This is not optimal. Additionally:
http://www.template-toolkit.org/docs/modules/Template/Plugin/index.html
does not contain Stash. I suspect this was how it was
introduced initially by TT.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
This patch adds the name of the .tt file as a HTML comment to OPAC and Staff client pages.
To test:
Apply patch
Open pages in OPAC and Staff client.
Make sure that a comment similar to the following appears in the source code:
<!-- TEMPLATE FILE: intranet-main.tt -->
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
The goal of this theme is to provide a fully-responsive OPAC which
offers a high level of functionality across multiple devices with varied
viewport sizes. Its style is based on the CCSR theme, with elements of
the Bootstrap framework providing default styling of buttons, menus,
modals, etc.
The Bootstrap grid is used everywhere, but Bootstrap's default
responsive breakpoints have been expanded to allow for better
flexibility for our needs.
All non-translation-depended files are in the root directory of this new
theme:
css, images, itemtypeimg, js, less, and lib. Languages.pm has been
modified to ignore the new directories when parsing the theme language
directories.
This theme introduces the use of LESS (http://lesscss.org/) to build
CSS. Three LESS files can be found in the "less" directory: mixins.less,
opac.less, and responsive.less. These three files are compiled into one
CSS file for production: opac.css. "Base" theme styles are found in
opac.less. A few "mixins" (http://lesscss.org/#-mixins) are found in
mixins.less. Any CSS which is conditional on specific media queries is
found in responsive.less.
At the template level some general sturctural changes have been made.
For the most part JavaScript is now at the end of each template as is
recommended for performance reasons. JavaScript formerly in
doc-head-close.inc is now in opac-bottom.inc.
In order to be able to maintain this structure and accommodate
page-specific scripts at the same time the use of BLOCK and PROCESS are
added. By default opac-bottom.inc will PROCESS a "jsinclude" block:
[% PROCESS jsinclude %]
Each page template in the theme must contain this block, even if it is
empty:
[% BLOCK jsinclude %][% END %]
Pages which require that page-specific JavaScript be inserted can add it
to the jsinclude block and it will appear correctly at the bottom of the
rendered page.
The same is true for page-specific CSS. Each page contains a cssinclude
block:
[% BLOCK cssinclude %][% END %]
...which is processed in doc-head-close.inc:
[% PROCESS cssinclude %]
Using these methods helps us maintain a strict separation of CSS links
and blocks (at the top of each page) and JavaScript (at the bottom). A
few exceptions are made for some JavaScript which must be processed
sooner: respond.js (https://github.com/scottjehl/Respond, conditionally
applied to Internet Explorer versions < 9 to allow for layout
responsiveness), the _() function required for JS translatability, and
Modernizr (http://modernizr.com/, a script which detects browser
features and allows us to conditionally load JavaScript based on
available features--or lack thereof).
Another new JavaScript dependency in this theme is enquire.js
(http://wicky.nillia.ms/enquire.js/), which lets us trigger JavaScript
events based on viewport size.
I have made an effort to re-indent the templates in a sane way,
eliminating trailing spaces and tabs. However, I have not wrapped lines
at a specific line length. In order to improve template legibility I
have also tried to insert comments indicating the origin of closing tags
like <div> or template directives like [% END %]:
</div> <!-- / .container-fluid -->
[% END # / IF ( OpacBrowseResults && busc ) %]
TESTING
Proper testing of this theme is no easy task: Every template has been
touched. Each page should work reasonable well at a variety of screen
dimensions. Pages should be tested under many conditions which are
controlled by toggling OPAC system preferences on and off. A variety of
devices, platforms, and browsers should be tested.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>