Commit graph

12 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Mark Tompsett
c0a52bb198 Bug 13948: Prevent explosion when Template::Plugin::Stash not installed
TEST PLAN
---------
1) Install first two patches
2) do not install, or uninstall Template::Plugin::Stash
3) Upgrade to make sure system preference is added.
4) Set the system preference to turn it on for Staff and OPAC
5) Refresh staff -- kaboom
6) Load OPAC -- kaboom
7) Apply this patch
8) Reload staff and OPAC
   -- nice HTML comment about what is wrong.
9) run koha qa test tools.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Neat, runs well. Tested with/without sysprefs and Template::Plugin::Stash
No koha-qa errors

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
2015-07-28 10:30:21 -03:00
aa356f47ea Bug 13948: Add ability to dump template toolkit variables to html comment
It would be incredibly helpful if we could easily enable Koha to dump
all Template Toolkit variables to a comment for debugging purposes.

Test Plan:
1) Apply this patch
2) Run updatedatabase
3) Enable the new system preferences DumpTemplateVarsIntranet and
   DumpTemplateVarsOpac
4) Load a page in the staff intranet, view the html source
5) Note the template toolkit variables are embedded in an html comment
6) Load a page in the opac, view the html source
7) Note the template toolkit variable are embedded in an html comment

NOTE: I had to cpan2deb Template::Plugin::Stash to test.
      This is not optimal. Additionally:
      http://www.template-toolkit.org/docs/modules/Template/Plugin/index.html
      does not contain Stash. I suspect this was how it was
      introduced initially by TT.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
2015-07-28 10:29:43 -03:00
Marc Véron
8523a01f47 Bug 13112 - Add name of template file in html comment for each '.tt' file.
This patch adds the name of the .tt file as a HTML comment to OPAC and Staff client pages.

To test:
Apply patch
Open pages in OPAC and Staff client.
Make sure that a comment similar to the following appears in the source code:
<!-- TEMPLATE FILE: intranet-main.tt -->

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-28 10:45:32 -03:00
47609920b7 Bug 9265 - Switch to HTML5 doctype in OPAC and staff client
This patch replaces the XHTML DOCTYPE with an HTML5 one. The HTML5
validator seems to be significantly different than the XHTML one,
so I'm seeing lots of new errors. This patch includes corrections
for one: Deprecation of the "language" attribute of <script>
tags.

To test, view pages in the OPAC and staff client. They should
appear as normal. Numerous validation follow-ups will be required,
but I suggest these be handled incrementally.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
test on some intranet pages and I found no regression. (chromium and
firefox).
The w3c page about the doctype: http://www.w3.org/TR/html5-diff/#doctype

Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
2013-01-31 11:47:04 -05:00
143e3e6541 Fix for Bug 6458 - incorrect parsing result in translation processing
Correcting doc-head-open.inc (again?).

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-09-15 08:39:31 +12:00
d44896079b Fix for Bug 6186 - Change to DOCTYPE declaration causing validation errors
In the transition to Template::Toolkit a part of the DOCTYPE includes
got its case switched, making it invalid: XHTML was changed to Xhtml

Correcting the case quiets errors in the validator.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-04-15 10:15:32 +12:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
Joshua Ferraro
0f4d5673f4 add xml language entities
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-01-05 02:59:01 -06:00
Joshua Ferraro
a929fc2dae adding bi-directional support to the OPAC based on the language
selected (Hebrew and Arabic currently set)

Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-01-05 02:58:46 -06:00
kados
5f4542992a This is a minor change, but affects all templates:
previously, it wasn't possible to insert anything into the <head> on
an individual template unless it was the title of the page. Now, the
structure is a bit more flexible to allow additional head elements to
be included.
2007-03-11 21:08:11 +00:00
oleonard
f1c85801de First draft of programmer's templates: a stripped-down version of the templates for use by programmers in adding and testing new functionality. Template-authors can use these templates to track changes that need to be incorporated into their custom templates. 2005-07-19 20:42:46 +00:00