Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch modifies several acquisitions templates to use the Bootstrap
grid instead of YUI.
This patch also removes obsolete "text/javascript" attributes from
<script> tags.
To test, apply the patch and view the following pages, confirming that
they look correct at various browser widths:
- Acquisitions -> Home page
- Acquisitions -> Vendor search results
- Acquisitions -> Vendor -> Basket groups
-> Edit
- Acquisitions -> EDIFACT messages
-> View EDIFACT message
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies some staff client acquisitions templates so that
JavaScript is included in the footer instead of the header.
This patch adds a JavaScript file, acquisitions-menu.js, which controls
the highlighting of the current page in the sidebar. Highlighting will
be temporarily broken for pages which have not been modified to include
this file
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
- Acquisitions home page
- Datatable, Inactive budget controls
- Vendor search results
- Acquisitions -> Vendor search
- Datatables, "Show all" links
- Basket
- Acquisitions -> Vendor -> Basket
- Datatables, button controls, add managing user
- Add to basket from a staged file
- Acquisitions -> Vendor -> Basket -> Add to basket from a staged file
- Datatables, tabs, selection controls
- Edit basket
- Acquisitions -> Vendor -> Edit basket
- Form validation
- EDIFACT messages
- Acquisitions -> EDIFACT messages
- Datatables, message preview
- Orders search
- Acquisitions -> Order search
- Full orders search form
- Patron autocomplete in "Basket created by" field
- Datepickers
- Orders search results
- Datatables, column visibility
- Invoices
- Acquisitions -> Vendor -> Invoices -> Invoice
- Form validation, datepickers, datatables
- Invoice files (enable AcqEnableFiles preference)
- Manage invoice files
- File list datatable
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This followup tweaks some CSS and markup in order to correct conflicts
between default Bootstrap styles and the expected (previous) style of
the staff client. Included:
- Corrections to the widths of some modals.
- Corrections to the style of the <pre> tag, seen often in MARC preview
modals.
- Corrections to the default active and hover states for dropdown menus.
To test, apply the patch and view various pages which use Bootstrap
modals, confirming that they look correct.
- Add order from staged file MARC preview
- Add order from external source MARC preview
- Cataloging record merge MARC preview
- Batch record modification MARC preview
- Authorities Z39.50 search MARC preview
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Confirm that I have not missed any places where there is 'loading-small.gif'
Have amended patch to not include OPAC changes from previous patch.
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch makes several improvements to the EDIFACT messages template
to make it more consistent with similar interfaces in Koha. Changes to
edimsg.tt are made to simplify the display of the data in a modal.
This patch also corrects a couple of markup errors.
To test you must have multiple rows of data in the edifact_messages
table. I tested with dummy data I inserted manually. Should should have
some rows which use 'QUOTE' and 'ORDERS' as the message_type.
To test deletions you may need to apply the patch for Bug 16737.
- Apply the patch and go to Acquisitions -> EDIFACT messages.
- In the table of messages, the date should be displayed according to
your system preference.
- Sorting by date should work correctly regardless of date format
setting.
- The 'Actions' column should contain 'View message' and 'Delete'
Bootstrap-style buttons with Font Awesome icons. The column should be
unsorted.
- Clicking the 'Delete' button should prompt you to confirm.
- Clicking the 'View message' button should trigger a modal which loads
the message data.
- Test the page with no messages or when all messages have been
deleted. The page should display a standard message dialog instead of
an empty table.
Signed-off-by: Nicole C Engard <nengard@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Some templates use Edifact and edifact. As EDIFACT
is an abbreviation, we should spell it like one.
To test:
- Check templates for occurrences of EDIFACT
- acquisitions navigation menu
- basket page
- basketgroup page
- EDIFACT messages page
- Verify changes are correct
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Changes are correct
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jesse Weaver <jweaver@bywatersolutions.com>
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.
In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.
To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:
- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.
Revised: I intended for this to be built on top of Bug 15883. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883
Works as described, all pages on test plan
No Errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Add support for processing incoming Edifact Quotes, Invoices
and order responses and generating and transmission of
Edifact Orders.
Basic workflow is that an incoming quote generates an aquisition
basket in Koha, with each line corresponding to an order record
The user can then generate an edifact order from this (or another)
basket, which is transferred to the vendor's site
The supplier generates an invoice on despatch and this will
result in corresponding invoices being generated in Koha
The orderlines on the invoice are receipted automatically.
We also support order response messages. This may include
simple order acknowledgements, supplier reports/amendments
on availability. Cancellation messages cause the koha order
to be cancelled, other messages are recorded against the order
Which messages are to be supported/processed is specifiable on a
vendor by vendor basis via the admin screens
You can also specify auto order i.e. to generate orders from quotes
without user intervention - This reflects existing
workflows where most work is done on the suppliers website
then generating a dummy quote
Received messages are stored in the edifact_messages table
and the original can be viewed via the online
Database changes are in installer/data/mysql/atomicchanges/edifact.sql
Note new perl dependencies:
Net::SFTP:Foreign
Text::Unidecode
Signed-off-by: Paul Johnson <p.johnson@staffs.ac.uk>
Signed-off-by: Sally Healey <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>