Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates several acquisitions module templates to use the
Bootstrap grid.
- acqui/z3950_search.tt - Acquisitions -> Vendor -> View basket -> Add
to basket -> From an external source. The Z39.50 search form should
look correct.
- Search for a title. The search results page should look correct.
- acqui/addorder.tt - Acquisitions -> Vendor -> View basket -> Add to
basket. Add an order to the basket which costs more than is available
in the fund you select. The error/confirmation screen should look
correct.
- acqui\modordernotes.tt - Acquisitions -> Vendor -> View basket -> Add
internal or vendor note. The note add form should look correct.
- acqui/cancelorder.tt - Acquisitions -> Vendor -> View basket -> Cancel
order (from an open basket which has existing orders). The
confirmation screen should look correct.
- acqui\basketheader.tt - Acquisitions -> Vendor -> New basket. The new
basket edit form should look correct.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
After order is deleted we don't have a vendor or basket so we get blank
breadcrumbs, this removes them
Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan remains the same.
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Go to Acquisitions -> Find a vendor -> View a basket with orders in
it (or make a new basket and add an order)
2) Click Cancel order
3) Notice incomplete breadcrumbs, and 'Acquisition' typo
4) Apply patch and refresh page
5) Breadcrumbs should be fixed. Confirm links to vendor and basket work
as expected
Sponsored-by: Catalyst IT
Signed-off-by: severine.queune <severine.queune@bulac.fr>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: David Bourgault <david.bourgault@inlibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In Acquisitions, when you delete (cancel) an order, a dialog asks you to
confirm. This dialog should be styled with Font Awesome icons.
Other minor edit: Changing page grid style for centered main content
area.
To test, apply the patch and locate a basket in Acquisitions with an
order.
- View the details for the basket.
- Click the 'Delete' link next to the order you want to delete.
- Confirm that the dialog is correctly styled.
- Test the cancel operation and verify that you are correctly redirected
back to where you were.
- Test the confirmation operation and verify that your order is deleted.
- Also test the deletion process from Acquisitions -> Vendor -> Invoices
-> Invoice -> Go to receipt page -> Delete order.
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
Works as advertised
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Followed test plan from patch 1/2, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Since bug 7162, it's possible to give a cancellation reason on deleting
an order.
This would be better to fill an authorised values category with the
different possible values.
Like that we will avoid to have duplicate or similar reasons.
Also, it will be easier to filter or create reports.
Test plan:
0/ Don't apply the patch
1/ Cancel some orders and give a cancelletion reason
2/ Apply the patch and execute the updatedb entry
3/ Cancel an order and verify the you have a list with the reason you
previously filled + 3 new ones ('No reason', 'Sold out' and
'Restocking');
4/ Choose one and verify the value is correctly displayed on the basket
page
5/ You can also try to add other values from the admin module.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
* Remove tab characters in acqui/addorder.pl
* Remove FIXME in acqui/cancelorder.pl
* Fix typos: "canceled" -> "cancelled", "occured" -> "occurred"
* Replace "Click here" link by "OK"
* Add a column to aqorders to store cancellation reason instead of
having it in aqorders.notes, to avoid having untranslatable strings in
database
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Some code was duplicated, all is now in cancelorder.pl
Added possibility to provide a reason for cancellation (or other things,
this is saved in aqorders.notes)
Signed-off-by: Corinne Bulac <corinne.hayet@bulac.fr>
Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>