Commit graph

5 commits

Author SHA1 Message Date
917ec3700e Bug 13618: Manually replace missing .raw
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:10 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
8669dc1548 Bug 19608: (QA follow-up) Fix redirect on localization modal
This patch makes two minor corrections:

1. The item types localization modal redirect problem has been fixed by
   excluding the anti-clickjack code from executing in the footer.
2. The sidebar menu highlighting script has been modified to correctly
   handle the clone-rules page.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-26 12:52:33 -03:00
2a4e76876b Bug 19608: Move admin templates JavaScript to the footer: The rest
This patch modifies the staff client administration templates so that
JavaScript is included in the footer instead of the header.

To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.

To test the changes to localization.tt you must have more than one
translation installed. Go to admin/itemtypes.pl, edit an itemtype, and
click the 'Translate into other languages' link.

To test the changes to sur_modmapping.tt, go to admin/z3950servers.pl
and create a new SRU server. Click the 'Modify' button next to 'SRU
Search fields mapping'

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-26 12:52:33 -03:00
toins
1a3956496d Header & footer for popup 2006-07-12 10:58:28 +00:00