Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client administration templates so that
JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
To test the changes to localization.tt you must have more than one
translation installed. Go to admin/itemtypes.pl, edit an itemtype, and
click the 'Translate into other languages' link.
To test the changes to sur_modmapping.tt, go to admin/z3950servers.pl
and create a new SRU server. Click the 'Modify' button next to 'SRU
Search fields mapping'
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch is amended to use the sysprefs search on all Administration
pages that do not have their own custom search.
To test:
1) Go to Administration
2) Notice Catalogue search at the top - seems out of place.
3) Apply patch and refresh page.
4) Notice admin / sysprefs search now shows and is more appropriate.
5) Confirm searching for sysprefs still works
This patch affects the following pages:
- admin-home.pl
- audio_alerts.pl
- authtypes.pl
- auth_tag_structure.pl
- authorised_values.pl
- biblio_framework.pl
- marctagstructure.pl
- branch_transfer_limits.pl
- branches.pl
- checkmarc.pl
- classsources.pl
- columns_settings.pl
- didyoumean.pl
- edi_accounts.pl
- edi_ean_accounts.pl
- fieldmapping.pl
- item_circulation_alerts.pl
- items_search_fields.pl
- items_search_field.pl
- item_types.pl
- koha2marklinks.pl
- matching-rules.pl
- oai_sets.pl
- oai_set_mappings.pl
- patron-attr-types.pl
- smart-rules.pl
- transport-cost-matrix.pl
- sms_providers.pl
Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test Plan:
1) Create an empty EAN
2) Edit it and save
3) Note you get a new EAN row
4) Apply this patch
5) Edit the empty EAN again
6) Note you now get an updated EAN and not a new row
Signed-off-by: Chris Cormack <chrisc@catalyst.net.z>
Depends on bug 16208 (which depends on 16206)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
Test Plan:
1) Create an empty EAN
2) Attempt to delete it, you should get an error
3) Apply this patch
4) Attempt to delete the EAN, you should now be able to
Signed-off-by: Chris Cormack <chrisc@catalyst.net.z>
This depends on bug 16206 being pushed, or you need to apply that patch
first
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
https://bugs.koha-community.org/show_bug.cgi?id=16256
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
There are some issues with the template changes introduced by the EDI
feature in Bug 7736. This patch makes the following changes:
- Use Font Awesome icon on the Acquisitions basket page instead of a
Glyphicon.
- Use Font Awesome icon on the Acquisitions basket group page instead of
a Glyphicon.
- For consistency's sake, use the phrase "Library EANs" instead of "EDI
EANs" in menus and the Library EANs page.
- On the EDI accounts page:
- Correct the markup of the title tag.
- Improve the breadcrumbs to eliminate redundancy.
- Use Font Awesome icon instead of Glyphicon for the "New account"
button.
- Change or remove "maxlength" attribute of form fields to match table
structure.
- Move the contents of some title attributes into a visible hint.
- Use 'checked="checked"' instead of 'checked'. Koha templates use
XTHML-style attributes.
- Correct template variable in account deletion confirmation dialog.
Before this patch the vendor name was not correctly displayed.
- Show a message if there are no accounts defined rather than an empty
table.
- Remove use of "highlight" class from table rows (Bug 15927).
- Correct parameter name in link to vendor details page (should be
booksellerid instead of supplierid).
- Correct the markup of the deletion confirmation dialog (Bug 15785).
- Use Bootstrap-style buttons for "edit" and "delete," with Font
Awesome icons.
- On the Library EANs page:
- Correct the markup of the title tag.
- Make capitalization of "EAN" consistent.
- Use Font Awesome icon instead of Glyphicon for the "New EAN" button.
- Show a message if there are no EANs defined rather than an empty
table.
- Change or remove "maxlength" attribute of form fields to match table
structure.
- Remove use of "highlight" class from table rows (Bug 15927).
- Correct the markup of the deletion confirmation dialog (Bug 15785).
- Use Bootstrap-style buttons for "edit" and "delete," with Font
Awesome icons.
To test, apply the patch and review the affected templates. Confirm that
pages look correct and work correctly.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
All seems to work and looks well,
add/edit/delete EDI accounts and Library EANs works Ok
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
Add support for processing incoming Edifact Quotes, Invoices
and order responses and generating and transmission of
Edifact Orders.
Basic workflow is that an incoming quote generates an aquisition
basket in Koha, with each line corresponding to an order record
The user can then generate an edifact order from this (or another)
basket, which is transferred to the vendor's site
The supplier generates an invoice on despatch and this will
result in corresponding invoices being generated in Koha
The orderlines on the invoice are receipted automatically.
We also support order response messages. This may include
simple order acknowledgements, supplier reports/amendments
on availability. Cancellation messages cause the koha order
to be cancelled, other messages are recorded against the order
Which messages are to be supported/processed is specifiable on a
vendor by vendor basis via the admin screens
You can also specify auto order i.e. to generate orders from quotes
without user intervention - This reflects existing
workflows where most work is done on the suppliers website
then generating a dummy quote
Received messages are stored in the edifact_messages table
and the original can be viewed via the online
Database changes are in installer/data/mysql/atomicchanges/edifact.sql
Note new perl dependencies:
Net::SFTP:Foreign
Text::Unidecode
Signed-off-by: Paul Johnson <p.johnson@staffs.ac.uk>
Signed-off-by: Sally Healey <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>