Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Try to print a fee
--> without patch it explodes
--> with patch it works and the date is formatted according to
system wide date format setting
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.
That will make the code much more easier to maintain and will be less
error-prone.
The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.
In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.
Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client patron module templates so that
JavaScript is included in the footer instead of the header.
This patch touches a lot of files because the changes are all
interdependent, affecting a couple of module-wide include files.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
Patrons -> Patrons home, patron search results
-> Manage pending modification requests
-> Patron detail page
-> Edit patron
-> Set guarantor
-> Fines
-> Account, Pay fines, Create manual invoice, Create manual
credit
-> Print receipts for different kinds of charges
-> Routing lists
-> Circulation history
-> Holds history
-> Notices
-> Statistics
-> Files
-> Purchase suggestions
-> Discharges
-> Housebound
-> Set permissions
-> Change password
-> Print summary, slips, and overdues
-> Update child to adult patron type
Patron toolbar and patron search bar operations should work correctly on
all pages.
This patch also updates the template for searching the Norwegian
national patron database, but it has NOT been tested.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Zoe Bennett <zoebennett1308@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There are many patron-related templates which still use event attributes
to define events. This patch updates these templates so that events are
defined in JavaScript.
To test apply the patch and check out to a patron.
- From the Print menu in the toolbar, choose "Print summary." The patron
summary page should open and the print dialog should be automatically
triggered.
- From the Print menu in the toolbar, choose "Print slip." The patron
slip page should open and the print dialog should be automatically
triggered.
- From the Print menu in the toolbar, choose "Print quick slip." The
patron quick slip page should open and the print dialog should be
automatically triggered.
- Click the patron's "Fines" tab in the left-hand sidebar and then
choose the "Account" tab.
-- Click the "Print" button for an account payment (the link should
point to printfeercpt.pl). A print receipt page should open and
the print dialog should be automatically triggered.
-- Follow the same procedure for a transaction which is not an account
payment (the link should point to printinvoice.pl).
- Click the "Create manual invoice" tab.
-- Select one of the "type" choices. Doing so should automatically
populate the "Description" field with the corresponding code.
-- If necessary, define one or more values for the MANUAL_INV
authorized value and confirm that those invoice types work as well.
- From the patron's "Pay fines" tab, click the "Pay amount" button. In
the "collect from patron" field, enter any combination of letters,
numbers, and symbols. When you tab away from that field your text
should be reformatted to currency format.
- From the patrons home page, change the filter in the left-hand sidebar
and submit it. The correct results should be returned.
Signed-off-by: EricGosselin <eric.gosselin.5@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
When displaying Fines > Account tab for a patron, you can see on screen a Note column that is missing if you click on Print
Test plan :
* Find a patron with accountlines or add them manually (Create manual invoice/credit).
* Be sure some of them got a Note
* Clik on Print fior those lines
Without patch, the printed receipt does not show the Note column
with the patch, the printed receipt shows a Note column and Note content is correctly printed for accountline with a note.
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.
In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.
To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:
- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.
Revised: I intended for this to be built on top of Bug 15883. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883
Works as described, all pages on test plan
No Errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 2546 removes the description DB field value in some case (3.15.00.003).
But the receipt generated by scripts members/printfeercpt.pl and
members/printinvoice.pl displays this field.
When the description field is empty, the default value (based on
accountlines.accounttype) should be displayed.
Test plan:
- Generate and pay some different kinds of fees for a patron without
filling the 'description' field.
- In Fines>Account, click on the 'print' link.
- Before this patch, the "description of charges" values is empty if no
description was given.
It is a regression introduced by bug 2546, a default value was
inserted in the description field depending on the account type
selected.
- After this patch, the "description of charges" values should be based
on the account type. The string display on printing receipt should be
the same as on the account screen (staff and opac).
Note for QA: If removed the "payment" key, it is not used in template
and generated a warning ("odd number of elements...").
Signed-off-by: Nick Clemens <nick@quecheelibrary.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
This fixes the display of payments and other charges on the
fines slip.
Note: This patch fixes a line where the description in the
database was still updated to say "Payment thanks" for partial
payments. It might be worth to do a follow-up correcting the
accountlines table and removing the unwanted comment (see bug 2546).
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Currently, slips cannot be printed in circulation, members, or the
self check out when using Chrome.
This patch adds a timer of 1ms which allows Chrome's custom code to
prevent "window.close" occuring before the user has dealt with the
print window.
This patch also allows admins to use the 'IntranetSlipPrinterJS'
system preference to override the slip printing code by centralizing
all the slip printing code in slip-print.inc, and including this JS
anywhere it's needed in the staff client.
I haven't used this include in the OPAC SCO but perhaps it would make
sense to do so as well (even if it isn't referred to in the syspref's
name).
_TEST PLAN_
1) Using Chrome on Windows (not sure if this is an issue on other OSes),
try to print a slip in the following locations:
Fines Tab -> Print button
koha-tmpl/intranet-tmpl/prog/en/modules/members/printfeercpt.tt:
Details tab -> Print button -> Print slip || Print quick slip
koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember-receipt.tt:
Details tab -> Print button -> Print summary
koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember-print.tt:
Fines tab -> Accounts tab -> Print (Manual invoice of $5 sundry)
koha-tmpl/intranet-tmpl/prog/en/modules/members/printinvoice.tt:
Checkout tab -> Print button
koha-tmpl/intranet-tmpl/prog/en/modules/circ/printslip.tt:
Finish button
koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/printslip.tt
2) Note that each time you try to print, a new print page is created
but closed before you have a chance to print.
3) Apply the patch
4) Repeat Step 1
5) Note that the print page now doesn't close until after you've
chosen to print or cancel.
Signed-off-by: Christopher Brannon <cbrannon@cdalibrary.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script.
Checked invoice is correctly printed for
- partially paid fines
- paid fines
- unpaid fines
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Move the favicon files for OPAC and staff so that they are not
blocked by the Apache configuration change introduced by the
patch for bug 9812.
Note that this patch makes the favicon customizable by theme,
not both theme and language.
To test, after applying the patch.
[1] Open pages in the OPAC and staff client. Verify that the favicon
is displayed in the usual place in your web browser. Specific pages
to test include
- circulation receipts and slips
- help
- lists view
- web-based self-checkout
[2] Verify that the Apache logs do not contain entries like this:
client denied by server configuration: {...}/prog/en/includes/favicon.ico
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Verified that the favicon displays correctly. Also
tried changing favicons for staff and OPAC using the
system preferences for those. This still works, where
the system preferences are correctly supported in the
templates.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch replaces the XHTML DOCTYPE with an HTML5 one. The HTML5
validator seems to be significantly different than the XHTML one,
so I'm seeing lots of new errors. This patch includes corrections
for one: Deprecation of the "language" attribute of <script>
tags.
To test, view pages in the OPAC and staff client. They should
appear as normal. Numerous validation follow-ups will be required,
but I suggest these be handled incrementally.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
test on some intranet pages and I found no regression. (chromium and
firefox).
The w3c page about the doctype: http://www.w3.org/TR/html5-diff/#doctype
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Wrap window.print();window.close(); with a function called when body has finished loading. Prevents webkit from closing before page is loaded and print dialog presented to the user.
Signed-off-by: Jared Camins-Esakov <jcamins@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>