This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch updates three single-column offline circulation templates to
use the Bootstrap grid.
- offline_circ\process_koc.tt - Circulation -> Upload offline
circulation.
- offline_circ\enqueue_koc.tt - After uploading offline circulation
file -> Add to offline circulation queue. The confirmation page is the
page to be tested.
- offline_circ\list.tt - From the confirmation page -> View pending
offline circulation actions.
Each of these pages should look correct, with a single centered column
with wide margins on either side. At lower browser widths the margins
should disappear.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch is a temporary mitigation of whatever the real problem is.
The patch hides the "Apply directly" button so that the option isn't
available.
To test, apply the patch and generate a .koc file with some
transactions. Upload the file via Circulation -> Offline
circulation file upload. After the file is uploaded, you should see only
a "Add to offline circulation queue" button, which should work
correctly.
Signed-off-by: Grace Smyth <gracesmythh@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client offline circulation templates so
that JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
Circulation -> Built-in offline circulation interface
-> Synchronize
-> Download records
-> Check out
-> Check in
-> Synchronize
-> Upload transactions
-> Pending offline circulations
-> Check all, uncheck all
-> Delete
-> Process
Circulation -> Upload offline circulation data
-> Upload .koc file (gerated by the Koha Offline Circulation program,
for instance).
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Fix error array (add '0' value)
Update errors on other places using upload.js
Eventually these should all be using the same code in a js file
upload.tt already dealt with these errors, but has diff code, made it
work with new error syntax
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: Removed the added js comment in upload.tt
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch removes event attributes from several templates, moving event
definitions into the JavaScript instead.
To test, apply the patch and:
- View the MARC detail page for any bibliographic record. Changing the
framework selection should reload the display using the selected
framework.
- Perform the same test on the labeled MARC view. (Set the
viewLabeledMARC system preference to "Allow" if necessary).
- To test the changes to Reports you should have at least one report
group and at least one report subgroup.
- Create a new saved SQL report.
- Select a report group. Doing so should trigger the display of report
subgroups. Deselecting the report group should hide the subgroups.
- In Acquisitions -> Suggestions, create a new suggestion.
- In the 'Acquisition information' section, changing values for
copies, currency, and price should change the value in the total
field.
- In Circulation -> Upload offline circulation file:
- My patch for Bug 16602 added the required code but forgot to remove
the corresponding onclick attributes.
- Browse for an offline circulation file.
- Clicking the 'Upload file' button should work correctly.
- After uploading a file, both the 'Add to offline circulation
queue' and 'Apply directly' buttons should work to trigger their
corresponding processes (keeping Bug 16603 in mind).
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch updates the style of progress bars to make them a little
nicer. Progress bars in the staff client are not built in a consisten
way. Some have been updated to use the <progress> element and some have
not. This patch improves some styling common to both kinds.
Other changes:
- Redundant in-page CSS has been removed from many pages.
- An invalid "min" attribute has been removed from several instances of
<progress>.
- Corrected capitalization.
- Fixed incorrectly quoted attributes.
- Added missing form "action" attributes.
To test, clear your browser cache if necessary. Apply the patch and
test uploads on the following pages:
- Circulation -> Offline circulation file upload
- Tools -> Batch item modification
- Tools -> Batch record modification
- Tools -> Stage MARC records for import
- Tools -> Manage staged MARC records
- Tools -> Upload local cover image
- Tools -> Upload
In all cases, progress bars should look improved and work correctly.
Test Tools -> Batch item deletion. Unused background job handling markup
has been removed. Deletion processing should work correctly.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of "onclick" from several templates, instead
defining click events in JavaScript.
Also changed: Some markup corrections.
To test, apply the patch and:
- Go to Circulation -> Upload offline circulation file
- Browse for an offline circulation file.
- Clicking the 'Upload file' button should work correctly.
- After uploading a file, both the 'Add to offline circulation
queue' and 'Apply directly' buttons should work to trigger their
corresponding processes (keeping Bug 16603 in mind).
- Go to Patrons -> Patron lists.
- For any patron list containing patrons, click the 'Print patron
cards' menu item. This should trigger a modal window which exports
the correct list.
- Go to Tools -> Batch item modification.
- Submit a batch of items for modification.
- Clicking the 'Save' button should trigger the background job and the
items should be successfully modified.
- Go to Tools -> Batch item deletion.
- Submit a batch of items for deletion.
- Clicking the 'Delete' button should trigger the background job and
the items should be successfully deleted.
- Go to Tools -> Calendar.
- Trigger the 'Add new holiday' panel by clicking a day on the
calendar which has no holiday defined.
- Clicking the 'Cancel' link should hide the panel.
- Trigger the 'Edit this holiday' panel by clicking a day which has a
holiday defined.
- Clicking the 'Cancel' link should hide the panel.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Everything works as previously.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch moves the JavaScript files in prog/en/js to prog/js.
JavaScript files do not need to be in the directory which is processed
by the translator.
To test, apply the patch and visit various pages in the staff client to
confirm that JavaScript files are still loading correctly.
Revised: I intended for this to be built on top of Bug 15883 as well as
Bug 16242. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883 and 16241
All seems to work, js files pulled from new dir.
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
This followup on top of remote branch
Only remove tabs and trailing spaces to make koha-qa pass
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch makes the following changes to achieve that:
[1] Use Upload.pm in stage-marc-import.pl, upload-cover-image.pl,
offline_circ/process_koc.pl and enqueue_koc.pl.
[2] A new file-upload.js replaces file-upload.inc in the associated template.
We now use ajax to get progress figures instead of launching perl script
upload-file-progress.
The js changes now also allow for aborting a file upload.
[3] Adds a tools/upload script and template. It allows to upload multiple
files at once.
[4] Makes upload-file return error messages in JSON. For a multiple upload,
we could have some files with errors and others without errors.
The upload is now marked as Failed only if there was no upload at all.
[5] The upload plugin is converted to use tools/upload with plugin param.
Deleting an upload is now presented via the search results form.
NOTE: In editing the process_koc.tt I noticed that the form enqueuefile was
hidden and no longer used (with associated code in process_koc.pl). When a
file has been uploaded, I display the form again (with the Apply directly
button). The code still works.
NOTE: We fix an error in upload-file from one of the patches of bug 6874.
The userid of the Koha admin user is passed to haspermission, but we
should pick the userid from the session.
NOTE: Bug 14686 will add a specific permission for tools/upload.pl, and
will add the tools/upload script to the Tools menu.
For now, you need edit_catalogue to start upload.pl and you will
additionally need a permission like upload_local_cover_images
to successfully upload a new file.
Test plan:
[1] Upload a marc file in stage-marc-import. (This is temp storage.)
[2] Check new entry in table uploaded_files. Look for the file in your
temporary directory (/tmp ?), subfolder koha_upload.
Bonus: Remove permissions on this subfolder. Retry, check error and
restore permissions again.
[3] Upload another (larger) file and abort the upload. Check table and
directory again. You should have a partial file, but no record.
[4] Verify that Stage for import still works as expected.
[5] Test Upload local cover image. (Enable OPACLocalCoverImages.) You can
test an individual image or a zip file including images and a file
called datalink.txt (with lines biblionumber,filename).
[6] Test uploading a offline circulation file:
Enable AllowOfflineCirculation, and create a koc file (plain text):
Line1: Version=1.0\tA=1\tB=2
Line2: 2015-08-06 08:00:00 345\treturn\t[barcode]
Note: Replace tabs and barcode. The number of tabs is essential!
Checkout the item with your barcode.
Go to Offline circulation file upload. Upload and click Apply directly.
Checkout again. Upload again, click Add to offline circulation queue.
[7] Upload three files via tools/upload.pl with a category and marked as
public. Check the results in the table.
Verify that you can download the file in OPAC without being logged in.
[8] Pick one new file and one of the files of step 7. Upload them in the
same category. One upload should succeed. Check for reported error.
[9] Connect upload.pl to field 856$u.
Goto Cataloguing editor.
In an empty 856$u, click the tag editor. Upload a file and click Choose.
Save the record. Open the record in the OPAC and click the link.
Copy this link to your clipboard for next step.
[A] Go back to editor. Click the tag editor on the same 856 field.
Choose for Delete.
Open the link in your clipboard again. Error message?
[B] Check the process of upload, search, download and delete of an upload
with some diacritical characters in the filename. (Bonus points for
adding special chars in the category code.)
Note: You can add categories via authorized values, UPLOAD key.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Bug 14321: [QA Follow-up] Perltidy upload.pl
Run perltidy -pro=xt/perltidyrc on tools/upload.pl.
No other changes.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Many templates have instances where the path to the prog template is
hard-coded. Now that interface and theme template variables are
available everywhere these paths should be corrected to use them.
Image paths corrected:
- 'Patron image missing' image on circulation pages
- 'Locked' icon on fund planning page
- Tag and subfield edit icons on the authority, biblio editor, and batch
item modification pages (Clone tag, delete tag, clone subfield,
delete subfield, move subfield)
- 'Loading' icon when importing frameworks
Audio file paths corrected:
- Sounds for circulation.pl and returns.pl
Paths to DataTables assets corrected on:
- Transfers to receive report
- Holds queue report
- Holds awaiting pickup report
- Patron detail page (moremember.pl)
- Patron circulation history
- Update child to adult patron page
- Process offline circulations
- Catalog by item type report
- Serials statistics wizard
- Serial claims page
- Koha news
- Notices
- Batch patron modifications
Path to progress bar assets corrected on:
- Process offline circulations page
- Progressbar include file
- Stage MARC imports
- Manage MARC imports
- Local cover image upload
Other image paths:
- "Approved" checkmark image on tags review page
- Table sort icons on lists page
- Feed icon on OPAC search result page
- "Loading" image for OPAC plain MARC view
Path to ratings JavaScript on OPAC detail and results pages
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Checked all the pages modified by this patch, no problems noted
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
The primary advantage to the Firefox offline cirulation plugin when compared
to the offline circulation desktop application, is the ability to add offline
circulation actions to a queue so that multiple machines running offline
circ can have their circ actions combined and ordered chronologically before
being executed. This commit adds the ability to put actions from uploaded
KOC files into this queue. In this way, both the FF plugina and the desktop
application can be run side by side with no ill effects.
Signed-off-by: Bob Birchall <bob@calyx.net.au>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
I tested most scripts affected by this patch and visually verified
all changes. Functionality is unaffected.
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Check for div 0 when calculating percentage
Signed-off-by: Liz Rea <wizzyrea@gmail.com>
div0 no longer appears on 0 size jobs.
Passes t xt
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This is the last one - adding the classes and ids to the report module and
some template files for smaller moduls/functions.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
