This addresses comment #13.
This also applies cleanly.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.
Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
borrowers => 1
and
borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch removes the use of "onclick" from all header search forms for
the purpose of triggering the "keep_text" function. This behavior is now
handled in the globally-included JS file.
To test, apply the patch and clear your cache if necessary.
- Enter text in any header search form field. Click to each other tab
in the header and confirm that your text is copied to each.
- Test the behavior of the header search form on at least one page where
each is included:
- The staff client home page
- The advanced search page
- The authorities home page
- The administration home page
- The cataloging home page
- The checkin page
- The circulation home page
- The patrons home page
- Acquisitions -> Vendor -> Contracts
- Administration -> Cities
- Administration -> Currencies and exchange rates
- Administration -> Patron categories
- Administration -> Printers (why is this page still around?)
- Administration -> System preferences
- Administration -> Z39.50/SRU servers
- Tools -> Notices & slips
This patch modifies does not fix the existing (unreported) bug which
prevents the keep text function from working in the include file used on
these pages:
- Acquisitions -> Vendor -> Basket -> New order from suggestion
- Administration -> Budgets
- The serials home page
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch re-indents the new include file because it's not often you
get to help a new file come into the world, it should be indented
nicely.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch creates a new file: adv-search.inc. This search include has
no catalog search (as it makes no sense to have the catalog search tab
on the advanced search page).
The item search page uses home-search.inc (with catalog search) as the
catalog search is different to the item search.
To test:
1) Go to Search (advanced search)
2) Confirm search header is there with no catalog search tab and works
as expected
3) Go to item search
4) Confirm search header is there with catalog search tab and works as
expected
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Tested together with follow up patch, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>