Commit graph

8 commits

Author SHA1 Message Date
cf44757391 Bug 13618: remove wrong html filter in 'Item search fields' admin
The dropdown list contain the arrayref: ARRAY(0x...)

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 15:54:54 +00:00
22ab4ba524 Bug 13618: Remove filter when assigning array
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 16:53:56 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Amit Gupta
bfbba2339f Bug 19108: Fix Stored XSS in items_search_fields.pl
To Test
1. Hit the page /cgi-bin/koha/admin/items_search_fields.pl
2. Add a text in the field Name and Label that contains js
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped

Fixed for new and edit page

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:50 -03:00
b286868ec9 Bug 17537: Fix valid-templates.t for some include files
3 include files do not pass the template validation tests:
 - koha-tmpl/intranet-tmpl/prog/en/includes/admin-items-search-field-form.inc
 - koha-tmpl/intranet-tmpl/prog/en/includes/subscriptions-search.inc
 - koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-topissues.inc

This is because they process a block which has not been declared before.
As they are include files, they cannot stand on their own.
We could have added them to the exclude file list of xt/author/valid-templates.t
but I think it's better to keep them into the validation loop.

Test plan:
  prove xt/author/valid-templates.t
should return green
And the library dropdown list should be correctly populated on the pages these files are included
(opac-topissues for instance)

Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-11-04 11:03:48 +00:00
e6e09c540f Bug 15803: Koha::AuthorisedValues - Remove C4::Koha::GetAuthorisedValueCategories
The subroutine C4::Koha::GetAuthorisedValueCategories just retrieves all
the authorised value categories.
We already have a method in the Koha::AuthorisedValues module to do this
job, let's use it!

Technical explanations:
The new subroutine of the AuthorisedValues TT plugin will allow to get
the authorised value categories from the templates.
The new html_helpers include file will get rid of the if selected else
end statements. Bug 15758 already uses this file, see the commit
description for more informations.

Test plan:
1/ Create or edit a new fund (aqbudgets.pl), the fields "statistic 1"
and "statistic 2" should be correctly filled with the list of authorised
value categories
2/ Edit subfields for a biblio and authority framework.
The "Authorized value" dropdown list should be correctly filled on both
pages
3/ Create new items search fields (from the administration area), same
as previously, the authorised value category dropdown list should be
correctly filled
4/ Add and edit patron attribute types, check the authorised value
category list.

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-10-28 16:35:52 +00:00
fd74b271db Bug 15887: Revise layout and behavior of item search fields management
This patch adds some JavaScript to the item search fields management
page so that the add form is not displayed by default. This simplifies
the interface and makes it more consistent with other similar
interfaces.

Also changed in this patch:
- Changing instances of "Items search fields" to "Item search fields."
- Correct form structure to use ordered list
- Add "required" classes and enable built-in JS form validation.
- Add explicitly labeled "Choose" options to <select>s.
- Add missing ids to form fields (labels don't work without them).
- Correct classes of message and alert dialogs.
- Add JS confirmation of deletions.
- Convert MARC tag and subfield dropdowns to regular inputs (Bug 15384).

To test, apply the patch and go to Administration.

- Confirm that the "Item search fields" link is correct.
- Follow the link and confirm that the list of existing fields is shown
  by default, or a message saying there are no existing fields.
- Click the "New search field" button and confirm that it displays the
  entry form.
  - Confirm that submitting an empty form does not work.
  - Confirm that clicking the "Cancel" link correctly hides the form.
  - Confirm that submitting valid data works correctly.
- In the table of existing item search fields, confirm that the "Edit"
  button works correctly.
  - Confirm that submitting edits works correctly.
- In the table of existing item search fields, confirm that clicking
  "Delete" highlights the row in question and a confirmation dialog
  appears.
  - Test both canceling and confirming deletion.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as described. JSHint OK, koha-qa OK.

Revision per QA: Undid the change making tag and subfield inputs text
fields.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-03-02 22:36:17 +00:00
Julian Maurice
7c2ff7940e Bug 11425: Add item search form in staff interface
Item search is available at catalogue/itemsearch.pl (link is in
catalogue/search.pl)
It only uses SQL (not Zebra)
* Use DataTables and server-side processing to be able to filter on
  individual columns after the first search is done.
* Allow to export results in CSV
* With Javascript disabled, search form still works (and CSV export too)

There is the possibility to define "Custom search fields" in a new admin
page admin/items_search_fields.pl (link is in admin/admin-home.pl)
A custom item search field is defined by:
* a name: its unique identifier
* a label: the text displayed to the user
* a MARC field/subfield: the field/subfield to query (it uses
  ExtractValue)
* an authorised values list (optional): if defined the list is displayed
  in the search form

New Perl dependency: Template::Plugin::JSON::Escape

Test plan:
1/ Apply the patch and run updatedatabase.pl
2/ Go to advanced search (staff interface), then click on "Go to item
search"
3/ Play with the search form! :)
In the 3rd fieldset you can add as many fields as you want and combine them with
boolean operators (AND, OR). You can use SQL jokers characters (%, _)
You can output to screen (in a DataTables table) or to a CSV file.
4/ In the DataTables table, play with filters and try sorting columns.
5/ Disable Javascript (with Firefox: extensions NoScript or YesScript,
or in about:config 'javascript.enabled' = false
6/ Reload the search page and do some searches on screen output. (there
is no sorting or filtering features, but there is still pagination)
7/ Try again CSV output.
8/ You can re-enable Javascript.
9/ Go to Administration > Items search fields
10/ Add a new field. Example for title (in UNIMARC):
  Name: title
  Label: Title
  MARC field: 200
  MARC subfield: a
  Authorised values category: None
(add another field with an authorised values category to see the
difference).
11/ As you are there try to update and delete some fields.
12/ Go back to items search form. You can see in the 3rd fieldset that
your fields have appeared in the selects.
13/ Try searching on them.
14/ I think you're done :)

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Work as described. Good new option.
No koha-qa errors

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2014-11-04 19:08:12 -03:00