Commit graph

27 commits

Author SHA1 Message Date
368a9b1d53 Bug 21570: Update two-column templates with Bootstrap grid: Various
This patch modifies several assorted templates to use the
Bootstrap grid instead of YUI.

This patch also removes obsolete "text/javascript" attributes from
<script> tags and "text/css" attributes from <style> tags in the
modified templates.

To test, apply the patch and view the following pages, confirming that
they look correct at various browser widths:

 - Administration -> Plugins
 - Tools -> Comments
 - Acquisitions -> Suggestions
 - Lists

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-11-05 14:41:09 +00:00
5825026448 Bug 21526: uri escape TT variables when used in 'a href'
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 17:09:57 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Julian Maurice
ed7543287b Bug 20538: Remove the need of writing [% KOHA_VERSION %] everywhere
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
  mechanism, it will be tedious

This patch:
- adds a Template::Toolkit plugin that generates <script> and
  <link> tags for JS and CSS files, and inserts automatically the Koha
  version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable

Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
   checking your browser's dev tools (there should be no 404 for JS and
   CSS files, and the Koha version should appear in filenames) and the
   server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-13 11:49:44 -03:00
0ab22e1c7c Bug 18789: Send Koha::Patron object to the templates
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.

That will make the code much more easier to maintain and will be less
error-prone.

The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.

In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.

Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-16 13:03:58 -03:00
0ad922011c Bug 12904: Force browser to load new javascript files after upgrade
This patch has been automatically generated using:
  perl kv.pl **/*.tt **/*.inc

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
2018-02-08 14:53:24 -03:00
cfb372c308 Bug 19663: Move JS to the footer: Reports
This patch modifies the staff client's reports templates so
that JavaScript is included in the footer instead of the header.

To test, apply the patch and test the JavaScript-driven features of
reports pages: All button controls, DataTables functionality, form
validation, etc.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Fix for QA: Remove unused Dopop function.

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-14 16:58:22 -03:00
804677265e Bug 16239: Update templates
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 14:41:22 +00:00
Hector Castro
2a6a3de7c4 Bug 16456: Add Font Awesome icons to some buttons in Tools module, section Patrons and circulation
Add Font Awesome Icons to section Patrons and circulation in Tools module.
Also correct a error dialog in JQuery functions

To test:
-Apply patch
-Goto Tools -> Patron list -> my_list_saved -> Add patrons -> Remove selected patrons,
 Clear all, Select all.
-Add new patron list and add some patrons, notice about the trash icon.
-Make some comments in some bib records and goto Tools->Comments
 you will presented with two tabs "Approved comments" and
 "Comments awaiting moderation".
 See the three new buttons: Approve, Delete, Unapprove.
-Set syspref TagsModeration to Require. This will show all pending tags to review.
-Make some tags in bib records and goto Tools -> Tags.
-Notice about the new look.
-In the new screen look the icons in buttons "Apply filter(s)", "Test", "Approved",
 "Reject". Notice about the new header bar above the DataTable with options: Select all,
  Clear all, Select all pending.
-Play with filters; Check if terms exist or not in appoved/rejected lists
-Play with Terms summary and see if DataTable is working as expected
-Click in some term tag with multiple titles
-A table with titles tagged with the term is presented
-See the new button 'Remove'
-Verify if you can remove tag from a selected title.
-Verify that all tools work as expected

NOTE: The Tag and Comments tools has been revised to fit with others
interfaces in Koha.
Bug ammended according with QA comment 5
Bug rebased because bug 16005
Test plan amended for clarity
Clock icon for "Select all pending" removed (QA comment 23).
Fix some forbidden patterns (tab char) in review.tt according by IRC comment
by Marc Veron

Followed test plan, looks and works as expected
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-17 15:40:24 +00:00
a8942c2884 Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues
Revert "DBRev to make notes of the XSS patches and the new important dependency."

This reverts commit e140603a59.

Revert "Bug 13618: Specific for branches.opac_info"

This reverts commit 06e4a50f00.

Revert "Bug 13618: (follow-up) Specific for other prefs"

This reverts commit d6475a111f.

Revert "Bug 13618: Fix for debarredcomment and patron messages"

This reverts commit dd98c9df92.

Revert "Bug 13618: Do not display html tags in patron's notices"

This reverts commit a065b243fe.

Revert "Bug 13618: Do not display &nbsp; and html tags in item fields content"

This reverts commit baeeaffbf8.

Revert "Bug 13618: Fix for system preference description"

This reverts commit a967a09261.

Revert "Bug 13618: Remove html filters for newly pushed code"

This reverts commit 0e98662b10.

Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"

This reverts commit fc2fb605e5.

Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"

This reverts commit bc308fdd9c.

Revert "Bug 13618: Fix for edit biblios and items"

This reverts commit 811c4e8402.

Revert "Bug 13618: followup to remove tabs"

This reverts commit ca8e8c397c.

Revert "Bug 13618: Fix last occurrences recently introduced to master"

This reverts commit bb417b256b.

Revert "Bug 13618: Fix for news"

This reverts commit ae5b98020a.

Revert "Bug 13618: Fix escape on sending baskets or shelves by email"

This reverts commit a7731ffe25.

Revert "Bug 13618: Specific for XSLTBloc"

This reverts commit 11fa38dc29.

Revert "Bug 13618: Specific for Salutation on editing a patron"

This reverts commit 36c07ad6d3.

Revert "Bug 13618: Specific for other prefs"

This reverts commit e6ea281a3b.

Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"

This reverts commit 7824874557.

Revert "Bug 13618: Specific for ColumnsSettings"

This reverts commit 1834da3da3.

Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"

This reverts commit 21ae62b253.

Revert "Bug 13618: Fix error 'Not a GLOB reference'"

This reverts commit 602bdbab4c.

Revert "Bug 13618: Specific for the ISBD view"

This reverts commit d254362435.

Revert "Bug 13618: Specific for pagination_bar"

This reverts commit 8837a8ae68.

Revert "Bug 13618: Specific places where we don't need to escape variables - intra"

This reverts commit 00eff140b3.

Revert "Bug 13618: Remove html filters at the intranet"

This reverts commit 7db851ff03.

Revert "Bug 13618: Specific places where we don't need to escape variables"

This reverts commit 49a3738b8d.

Revert "Bug 13618: Remove html filters at the OPAC"

This reverts commit cedaa0e23e.

Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"

This reverts commit 01b38d3b13.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-11 19:39:53 +00:00
Jonathan Druart
8837a8ae68 Bug 13618: Specific for pagination_bar
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com>

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-01-29 17:54:13 +00:00
Jonathan Druart
7db851ff03 Bug 13618: Remove html filters at the intranet
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com>

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-01-29 17:54:12 +00:00
68b30468c3 Bug 8143 [REVISED] Upgrade jQuery tabs to current jQueryUI version
Current jQuery-driven tabs are done using a very old
version of the tabs plugin. This patch upgrades jQueryUI
to the latest version and adds the tabs widget dependency
to the jqueryui js file and updates the syntax for existing
tabs:

- $("#foo > ul").tabs(); changes to $("#foo").tabs();
- Remove full URL from tab links (use #anchor only).

Pages with "static" tabs (tabs which are built in the
markup rather than generated by the plugin) have been
modified to use their own style. Examples: pay.tt in
the staff client and opac-readingrecord.tt in the OPAC.

Edit: Minor revision to some uncorrected markup

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-06-10 15:22:58 +02:00
Katrin Fischer
12e4651746 Bug 2780 - Capitalize strings consistently (reserve, review, rotating collections)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
2012-04-10 10:04:13 +02:00
Katrin Fischer
e4c67372e4 Bug 7760 - Add ids and classes to every staff page to help with customization (reports, ...)
This is the last one - adding the classes and ids to the report module and
some template files for smaller moduls/functions.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-03-22 18:12:35 +01:00
3ad0f4368f Bug 7493 [REVISED] Deleting a record with comments breaks "Recent Comments"
Adding foreign key constraint on biblio and borrowers:

- delete reviews when bibliographic records are deleted
- set set reviews.borrowernumber to NULL when patron records are deleted.

Before these constraints are set the database update script will
clean up existing instances of these problems by deleting reviews of
deleted biblios and setting to NULL reviews.borrowernumber for deleted
patrons.

In comments moderation, the list of comments will indicate "(deleted patron")
if the review was submitted by a patron who has since been deleted.

In the OPAC display of comments will omit the patron name altogether
if the patron has since been deleted.

To test:

1. CONFIRM THAT THE DATABASE UPDATE RUNS CORRECTLY

Before applying the patch:

 - delete the record for a title which has a review
 - delete a patron who has submitted a review (on a different title).

Viewing /cgi-bin/koha/opac-showreviews.pl should result in an error.

Apply the patch and make sure the database update runs. Viewing
the recent comments page in the OPAC should no longer result in an
error. The title with the comment from a deleted patron should
show no patron name on these pages:

 - Recent comments (opac-showreviews.pl)
 - Recent comments RSS (opac-showreviews.pl?format=rss)
 - Detail page (opac-detail.pl)

Comments from other patrons should show correctly.

2. CONFIRM THAT NEW DELETIONS PERFORM CORRECTLY

After applying the patch:

 - delete the record for a title which has a review
 - delete a patron who has submitted a review (on a different title).

Viewing /cgi-bin/koha/opac-showreviews.pl should NOT result in an error.
The review of the title which you deleted should no longer appear in the
list of recent comments.

The title with the comment from a deleted patron should
show no patron name on these pages:

 - Recent comments (opac-showreviews.pl)
 - Recent comments RSS (opac-showreviews.pl?format=rss)
 - Detail page (opac-detail.pl)

Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-03-08 17:00:51 +01:00
bc2a1d18e2 Bug 1623 - Provide view of approved comments
This patch creates two tabs on the comments administration page:
one for approved comments and one for unapproved comments. Each
display is paginated according to the numSearchResults preference.
The list of approved comments has, instead of a link to approve,
a link to unapprove.

The JavaScript table sorter has been removed since it doesn't make
sense to sort individual pages of a multi-page result set.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2011-12-27 18:26:50 +01:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
756cdc15ac Swapping tablesorter version. GZipped version may have been responsible for errors in Internet Explorer. Change to usermenu.inc is whitespace only, for proper display in IE.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-05-13 17:40:28 -05:00
Galen Charlton
60983cfeee kohabug 2026 - HTML-escape comments
This is a partial, perhaps temporary fix.  "<", ">",
and "&" characters in patron comments (AKA reviews)
are converted to "&lt;", "&gt;", and "&amp;" to avoid
certain attacks, e.g., a user entering a <script> tag
in a comment.

A more permanent fix should scrub all (or perhaps just
unsafe) tags from submitted comments entirely.

Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-04-30 21:59:01 -05:00
f3dbe6c27b Adding tablesorter
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-03-18 15:18:51 -05:00
Galen Charlton
c7dea40a16 add Tools breadcrumbs & sidebar to OPAC comment moderation
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-02-15 08:24:59 -06:00
Joshua Ferraro
3d1fb4462f nomenclature improvements, updating README.txt
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2007-12-22 15:10:32 -06:00
c3ac60db88 More template cleanup, resident search forms, breadcrumbs menus
Signed-off-by: Chris Cormack <crc@liblime.com>
2007-09-14 17:47:24 -05:00
c44f56fcac Moving </head><body> into body of templates so that js and css can be embedded per-page.
Signed-off-by: Chris Cormack <crc@liblime.com>
2007-08-30 15:50:54 -05:00
62e94fd1b0 More changes to enable YUI-Grids CSS layout
Signed-off-by: Chris Cormack <crc@liblime.com>
2007-08-28 16:50:44 -05:00
Joshua Ferraro
d08387dd28 first go at moving templates to a modules/ dir
Signed-off-by: Chris Cormack <crc@liblime.com>
2007-08-23 21:11:27 -05:00