Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
It's safer to send what we need from C4::Auth it's needed from a whole
module.
The SELECT COUNT(*) query will only be done when needed (so not made
from scripts outside of circ)
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Marcel, can you please have a look at this patch. I tried to implement
the change
my @notes = $schema->resultset('Issue')->search({ 'me.note' => { '!=', undef } }, { prefetch => [ 'borrower', { item => 'biblionumber' } ] });
to
my @notes = Koha::Checkouts->search({ 'me.note' => { '!=', undef } }, { prefetch => [ 'borrower', { item => 'biblionumber' } ] });
but am having problems on the template side. I can access the item and
biblio information about the issue, but not the borrower information,
even though the query is definitely pulling it correctly. Any
suggestions or ideas as to why this breaks?
This patch also adds the implementation of the circSidebar.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch reorganizes the way sidebar menus get highlighted based on
the current page. A global function is added to handle most cases.
Individual menu-handling scripts have been modified to handle only the
edge cases which aren't covered by the global one.
A new class is added to the global CSS file so that highlighted menu
links can be custom-styled.
To test, apply the patch and clear your cache if necessary.
View various pages to confirm that current-page-highlighting in the
sidebar menu is working correctly and that there are no JS errors in the
browser console. For example:
- Administration -> Currencies and exchange rates.
- Acquisitions -> Invoices
- Tools -> Patron lists
- Tools -> Export
And with CircSidebar turned on test various circulation pages, e.g.
- Circulation -> Set library
Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
We should do the same for the other check (FA exists), but cannot find a
good and quick way to implement.
Doing it this way will avoid regression later, we will no have to check
if the variable is correctly passed to the template.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Edit: Fast cataloging link should now show on all pages, removed offline circulation links
Edit 2: Creates the syspref to activate or deactivate the sidebar
Edit 3: Fixing merge conflicts, using Koha::BiblioFrameworks to find FA
framework and adding sidebar to on-site checkouts
This adds a sidebar to
circ/branchoverdues.tt
circ/circulation.tt (I also fixed up some of the indentation in this file to make it easier to see where the divs started and ended)
circ/renew.tt
circ/returns.tt
circ/selectbranchprinter.tt
circ/transferstoreceive.tt
circ/view_holdsqueue.tt
circ/waitingreserves.tt
circ/branchtransfers.tt
circ/on-site_checkouts.tt
To test:
1) Confirm syspref CircSidebar is activated
2) Go to all of the above pages and confirm the sidebar menu shows up
3) Confirm fast cataloguing link and transfer link are there
4) Trigger any error messages you can possibly think of (i.e. on renew.pl: barcode does not exist). Confirm that this does not mess up the layout of the page
5) Go to a user account page, Check out tab. (Since this is a circ/circulation.pl page). Ensure the circ nav sidebar doesn't show up (confirm it looks as it usually does)
6) Deactivate circSidebar
7) Confirm pages all look normal
Sponsored-by: Catalyst IT
Signed-off-by: Jan Kissig <jkissig@th-wildau.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
