Commit graph

13 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
fad518ed7d Bug 20038: Switch single-column templates to Bootstrap grid: Acquisitions
This patch updates several acquisitions module templates to use the
Bootstrap grid.

- acqui/z3950_search.tt - Acquisitions -> Vendor -> View basket -> Add
  to basket -> From an external source. The Z39.50 search form should
  look correct.
  - Search for a title. The search results page should look correct.

- acqui/addorder.tt - Acquisitions -> Vendor -> View basket -> Add to
  basket. Add an order to the basket which costs more than is available
  in the fund you select. The error/confirmation screen should look
  correct.

- acqui\modordernotes.tt - Acquisitions -> Vendor -> View basket -> Add
  internal or vendor note. The note add form should look correct.

- acqui/cancelorder.tt - Acquisitions -> Vendor -> View basket -> Cancel
  order (from an open basket which has existing orders). The
  confirmation screen should look correct.

- acqui\basketheader.tt - Acquisitions -> Vendor -> New basket. The new
  basket edit form should look correct.

Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-15 13:30:23 -03:00
36821be142 Bug 13208: Display complete breadcrumbs on successful deletion
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-09 14:14:54 -03:00
faf1bd1e6e Bug 13208: (QA follow-up) Remove blank breadcrumbs on successful deletion
After order is deleted we don't have a vendor or basket so we get blank
breadcrumbs, this removes them

Signed-off-by: David Bourgault <david.bourgault@inlibro.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-09 14:00:58 -03:00
Aleisha Amohia
3bdee4a05f Bug 13208: [FOLLOW-UP] Creating and implementing new Koha::Acquisition::Basket[s] modules
Test plan remains the same.

Sponsored-by: Catalyst IT

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: David Bourgault <david.bourgault@inlibro.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-09 14:00:58 -03:00
Aleisha Amohia
639d7f308f Bug 13208: Improving breadcrumbs for when cancelling an order
To test:
1) Go to Acquisitions -> Find a vendor -> View a basket with orders in
it (or make a new basket and add an order)
2) Click Cancel order
3) Notice incomplete breadcrumbs, and 'Acquisition' typo
4) Apply patch and refresh page
5) Breadcrumbs should be fixed. Confirm links to vendor and basket work
as expected

Sponsored-by: Catalyst IT

Signed-off-by: severine.queune <severine.queune@bulac.fr>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: David Bourgault <david.bourgault@inlibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-10-09 14:00:50 -03:00
f43f6bd97a Bug 15951: Use Font Awesome icons for acquisitions order cancellation confirmation
In Acquisitions, when you delete (cancel) an order, a dialog asks you to
confirm. This dialog should be styled with Font Awesome icons.

Other minor edit: Changing page grid style for centered main content
area.

To test, apply the patch and locate a basket in Acquisitions with an
order.

- View the details for the basket.
- Click the 'Delete' link next to the order you want to delete.
- Confirm that the dialog is correctly styled.
- Test the cancel operation and verify that you are correctly redirected
  back to where you were.
- Test the confirmation operation and verify that your order is deleted.
- Also test the deletion process from Acquisitions -> Vendor -> Invoices
-> Invoice -> Go to receipt page -> Delete order.

Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2016-03-03 22:55:24 +00:00
b38370ff83 Bug 13941: [2/2] Fix <body> tags missing id/class
Followed test plan from patch 1/2, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-04-24 09:47:38 -03:00
Jonathan Druart
b475728a50 Bug 13380: Fill order cancellation reasons from AV
Since bug 7162, it's possible to give a cancellation reason on deleting
an order.
This would be better to fill an authorised values category with the
different possible values.
Like that we will avoid to have duplicate or similar reasons.

Also, it will be easier to filter or create reports.

Test plan:
0/ Don't apply the patch
1/ Cancel some orders and give a cancelletion reason
2/ Apply the patch and execute the updatedb entry
3/ Cancel an order and verify the you have a list with the reason you
previously filled + 3 new ones ('No reason', 'Sold out' and
'Restocking');
4/ Choose one and verify the value is correctly displayed on the basket
page
5/ You can also try to add other values from the admin module.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2015-03-15 08:50:29 -03:00
Julian Maurice
cb866e3b1a Bug 7162: Remove "(Y)" and "(N)" from buttons text
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-30 00:44:18 -03:00
Julian Maurice
59bcdb0b25 Bug 7162: Factorize code for order cancellation (QA fixes)
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-30 00:44:16 -03:00
Julian Maurice
d3b2c85df8 Bug 7162; Factorize code for order cancellation (QA fixes)
* Remove tab characters in acqui/addorder.pl
* Remove FIXME in acqui/cancelorder.pl
* Fix typos: "canceled" -> "cancelled", "occured" -> "occurred"
* Replace "Click here" link by "OK"
* Add a column to aqorders to store cancellation reason instead of
  having it in aqorders.notes, to avoid having untranslatable strings in
    database

Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-30 00:44:11 -03:00
Julian Maurice
c4aaca9496 Bug 7162: Factorize code for order cancellation
Some code was duplicated, all is now in cancelorder.pl
Added possibility to provide a reason for cancellation (or other things,
this is saved in aqorders.notes)

Signed-off-by: Corinne Bulac <corinne.hayet@bulac.fr>
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
2014-10-30 00:44:04 -03:00