Commit graph

8 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Julian Maurice
ed7543287b Bug 20538: Remove the need of writing [% KOHA_VERSION %] everywhere
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
  mechanism, it will be tedious

This patch:
- adds a Template::Toolkit plugin that generates <script> and
  <link> tags for JS and CSS files, and inserts automatically the Koha
  version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable

Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
   checking your browser's dev tools (there should be no 404 for JS and
   CSS files, and the Koha version should appear in filenames) and the
   server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-13 11:49:44 -03:00
0ad922011c Bug 12904: Force browser to load new javascript files after upgrade
This patch has been automatically generated using:
  perl kv.pl **/*.tt **/*.inc

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
2018-02-08 14:53:24 -03:00
6381d1853d Bug 16241 - Move staff client CSS out of language directory
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.

In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.

To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:

- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.

Revised: I intended for this to be built on top of Bug 15883. Now it is.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

On top of 15883
Works as described, all pages on test plan
No Errors

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-04-29 13:54:37 +00:00
Galen Charlton
6405f26524 Bug 10592: fix display of favicon
Move the favicon files for OPAC and staff so that they are not
blocked by the Apache configuration change introduced by the
patch for bug 9812.

Note that this patch makes the favicon customizable by theme,
not both theme and language.

To test, after applying the patch.

[1] Open pages in the OPAC and staff client.  Verify that the favicon
    is displayed in the usual place in your web browser.  Specific pages
    to test include

    - circulation receipts and slips
    - help
    - lists view
    - web-based self-checkout

[2] Verify that the Apache logs do not contain entries like this:

client denied by server configuration: {...}/prog/en/includes/favicon.ico

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Verified that the favicon displays correctly. Also
tried changing favicons for staff and OPAC using the
system preferences for those. This still works, where
the system preferences are correctly supported in the
templates.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-07-22 14:00:23 +00:00
Chris Cormack
5884fb1000 Bug 5917 : Swapping templates over 2011-04-10 20:38:30 +12:00
Jared Camins-Esakov
637cf26045 Bug 5641: Replace Favicon through staff client
This patch adds two sysprefs:
OpacFavicon
IntranetFavicon

The two sysprefs take full URLs to an alternate favicon.ico file for the OPAC
and Staff Client, respectively. Leaving them blank will use the favicon.ico file
that is included with Koha.

Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-03-23 21:41:32 +13:00
Ryan Higgins
86ee8ee384 Add print slip to hold confirmation dialog.
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
2008-03-25 07:20:25 -05:00