Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates DataTables configuration so that more strings are
translatable:
https://datatables.net/extensions/buttons/examples/html5/copyi18n.html
To test, apply the patch and clear your browser cache.
- Open the account tab for a patron who has only one fine.
- Confirm that the new DataTables buttons appear.
- Click the 'Copy' button and confirm that a "Copied 1 row to clipboard"
message appears.
- Test again with a patron who has multiple fines, confirm that the
message reads "Copied X rows to clipboard."
To test the translation:
- Confirm that "Copied 1 row to clipboard" is missing from the language
file you're testing with (misc/translator/po/xx-YY-staff-prog.po).
- Run 'translate update xx-YY'
- Check that the clipboard strings are now in the po file.
- Add translations for those strings.
- Run 'translate update xx-YY' and 'translate install xx-YY'
- Switch to the translated language and clear your browser cache.
- Test the 'Copy' button again. Your translated text should appear.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There are many tables in Koha where it would be useful
for librarians to easily copy, download or print the table
for various purposes. These functions are available via
DataTables button plugins.
Test Plan:
1) Clear your browser cache ( just in case )
2) Apply this patch
3) Browse to boraccount.pl ( or another page using DataTabes )
4) Note the new Excel, CSV, Copy and Print buttons
5) Test each button to ensure they work
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch moves the JavaScript files in prog/en/js to prog/js.
JavaScript files do not need to be in the directory which is processed
by the translator.
To test, apply the patch and visit various pages in the staff client to
confirm that JavaScript files are still loading correctly.
Revised: I intended for this to be built on top of Bug 15883 as well as
Bug 16242. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883 and 16241
All seems to work, js files pulled from new dir.
No errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.
In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.
To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:
- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.
Revised: I intended for this to be built on top of Bug 15883. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883
Works as described, all pages on test plan
No Errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
datatables.inc loads dataTables.buttons.min.js and buttons.colVis.min.js
since bug 15285: Update common files because the dom param now contains
'B'. The DT init fails with it does not know what 'B' means.
Test plan:
Test tables using buttons (columns visibility), they should work as
before this patch.
Tested with patron search and administration/currencies, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
This patch moves the Button area all tables which does not redefine the
dom/sDom DT parameter.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
There are many instances where librarians would like to have the ability
to see all the rows in a datatable at one. It seems prudent to make this
a default option for datatables, rather than change it on a case by case
basis.
Test Plan:
1) View the circulation history for a patron
2) Note you can select to view 10, 25, 50, or 100 entries
3) Apply this patch
4) Reload the circulation history page for a patron
5) Note the new "All" option
6) Verify the "All" option shows all the rows at once
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
I tested the translation for "All"
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
This patch adds an upgraded copy of the DataTables plugin to the jQuery
plugin directory outside the theme directories. Copies of the old
DataTables plugin scripts have been left in the old location while
templates are incrementally updated.
To test, visit each affected page in Acquisitions and confirm that table
sorting still words correctly:
- Acquisitions home
- Acquisitions -> Late orders
- Acquisitions -> Order search
- Acquisitions -> Ordered (from table of available funds)
- Acquisitions -> Spent (from table of available funds)
- Acquisitions -> Vendor search
- Acquisitions -> Vendor detail
- Acquisitions -> Vendor -> Basket
- Acquisitions -> Vendor -> Basket -> Add order from existing record
-> Add order from suggestion
-> Add order from subscription
-> Add order from external source
-> Add order from staged file
- Acquisitions -> Vendor -> Basket groups
- Acquisitions -> Vendor -> Uncertain prices
- Acquisitions -> Vendor -> Invoices
- Acquisitions -> Vendor -> Invoices -> Invoice
- Acquisitions -> Vendor -> Receive shipments
- Acquisitions -> Vendor -> Receive shipments -> Receipt summary (click
invoice number)
Also test one or more pages which have not been modified to confirm that
old DataTables assets are still in place and working (ex: Circulation,
Quotes editor, Saved reports, etc.)
Signed-off-by: Srdjan <srdjan@catalyst.net.nz>
Edit: Rebased on current master
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
All tests und QA script pass. I found some smaller bugs, that
also appeared on master without the patch applied. For some datatables
I struggled with a result set of over 5.000 lines - there is room for
improvement where a lot of data can be shown.
testing notes:
- Acquisitions home
- Amounts don't sort correctly before and after the patch, see bug 10792.
- Acquisitions -> Late orders
- OK.
- Acquisitions -> Order search
- OK.
- Acquisitions -> Ordered (from table of available funds)
- OK.
- Acquisitions -> Spent (from table of available funds)
- OK.
- Acquisitions -> Vendor detail
- OK.
- Acquisitions -> Vendor -> Basket
- OK.
- Acquisitions -> Vendor -> Basket -> Add order from existing record
- Datatables seems not to be in use here?
-> Add order from suggestion
- OK.
-> Add order from subscription
- OK.
-> Add order from external source
- OK.
-> Add order from staged file
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
