To test
1/ Go to /cgi-bin/koha/opac-shareshelf.pl?op="><script>alert('XSS')</script>&shelfnumber=5
2/ Notice you see a js alert
3/ Apply patch
4/ It is gone
Reported by
Alex Middleton at Dionach
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
- Create a list with the name "<script>alert(1)</script>"
- On the shelf list, click on share
=> Without this patch you will see the JS alert
=> With this patch applied you won't see it
Reported by Kaybee at Dionach
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This subroutine does a lot a processing and should only be called when
necessary.
In the get_template_and_user subroutine (so called from any pages of
Koha), it is call to pass the branchcode, title, firstname, surname and
borrowernumber values for the logged in user.
This subroutine calls GetMemberAccountRecords which retrieve the items
infos for all accountlines entries of the logged in user.
On members/members.pl, let's say you have 74 entries in the accountlines
tables, the page will execute 115 SELECT instead of 35 if you don't have any
accountlines entries.
With this patch, the number of SELECT is always 31.
To test this patch you should have technical skills to know what to do.
Note that USER_INFO was an array of... 1 element. Now it's a hashref.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
See comment 171 and 172 for more details.
This patch mainly fixes typo or silly error in templates.
It also uses the relationships added by previous patch to join the
biblioitems and items tables (changes in opac-shelves.pl and
shelves.pl).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 14544: Fix redirect on editing a list
If you edit a list from the list view, after saving the form, you are
not redirected to the list view (but on the edit form).
Bug 14544: Cosmetic: › should be a class divider
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
The original concern of bug 14266 was to provide a compatibility for
<IE9.
But actually we don't need to trim the email address template side.
It will even better to trim it in the perl script, so that the email
will be trimed even if JS is disabled.
Test plan:
1/ Share a list and does not provide any email address
2/ Submit
=> The form is not submited, no alert/message is displayed (same as
before this patch).
3/ Share a list and provide an email address with spaces before and
after
4/ Submit
=> You should receive the email
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Test output compliant with expected test plan outcome.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch replaces trim() with $.trim() which is supported
in versions of IE older than IE9.
Revised test plan
=================
Before applying patch:
0) Use IE 8 or Document Mode 8 in a newer IE using F12 Developer Tools
1) Set OpacAllowSharingPrivateLists to "Allow" in Global System Preferences
2) Create a private list in the OPAC
3) Add a record to the private list
4) Click "Share" or "Share list" on one of the list screens
5) Type in an email address and click "Send"
6) Note the error in the console log
7) The page should submit
Apply the patch:
7) Hold shift + refresh the browser to update any Javascript cache
8) Try to "Share" the list again
9) Note that the form submit after clicking "Send" and
that there are no errors in the console log
http://bugs.koha-community.org/show_bug.cgi?id=14266
Signed-off-by: Indranil Das Gupta <indradg@gmail.com>
Remarks: Works as per revised test plan
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
The email field for sharing a list with another patron is
a bit short.
To test:
- Make sure OpacAllowSharingPrivateLists is activated
- Create a list in OPAC
- Use the "Share list" link to share with another user
- Check the length of the email field and if you like it
better with this patch applied
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adjusts two instances where Koha says that an email has
been sent while it is just enqueued (put in the message queue). The
crontab example still suggests to run process_message_queue once an hour
and the manual even speaks about 1-4 hours.
In the process of selfregistration and sharing a shelf, I have adjusted
the text "has been sent" to "will be sent shortly". This covers imo
the one-hour frequency.
When writing this patch, I have examined all calls of EnqueueLetter;
I only found these two occurrences to be of interest.
Note: I would recommend to increase this frequency in the documentation,
but consider that for now to be outside the scope of this report.
Test plan:
[1] Self-register a new user with verification by email required. Look at
the text when you submit your data.
[2] Share a list with someone else. Look at the text when you submit the
invitation.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described, small string change.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adds a branch sepecific class to all OPAC pages.
Example:
If not logged in, opac-main.pl displays:
<body ID="opac-main" class="branch-default" >
If logged in at branch FFL, it displays:
<body ID="opac-main" class="branch-FFL" >
If you log in, opac-user.pl should display
<body ID="opac-user" class="branch-FFL scrollto" >
To test:
1)
Apply patch.
2)
Add to syspref OPACUserCSS something highly visible, e.g. for branch FFL:
.branch-FFL {
background-color: yellow;
border: 10px solid red;
}
3)
Go to OPAC and login in with a user with home branch FFL
4)
Verify that colors change as appropriate.
5)
Log out. Verify that colors display as before or as defined in class branch-default in OPACUserCSS
6)
Display patch in patch diff view, verify that ids and classes in body tag are consistent with params bodyid and bodyclass in INCLUDE line
7)
Search for regressions
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
[1] Use loop variable instead of $_ in opac-shareshelf.pl
[2] Adds Cancel button to Invite form (prog and bootstrap) in
opac-shareshelf.tt. Likewise adds Return link under an error
message in opac-shareshelf.tt.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Adds new template opac-shareshelf.tt.
Modifies template opac-shelves.tt: Share button, Remove Share button,
label "Your lists" instead of "Your private lists", list category
Shared.
Test plan:
Verify if the Share a list-features work in bootstrap by:
[1] Switch to bootstrap. Go to Lists.
[2] Share one of your private lists.
[3] Login as another user and accept the invitation.
[4] Remove the share again.
[5] Check if Share and Remove share do not popup for public lists.
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
