This patch makes the following changes:
[1] Removes Default from the template list. We should not merge with the
Default framework, since it does not have a reporting tag.
[2] Rearranges the error section in the template. It is confusing to have
two error sections in this template. The error CANNOT_MOVE is not used.
The error FRAMEWORK_NOT_SELECTED is replaced by WRONG_FRAMEWORK.
[3] Do not allow to merge a record with itself.
[4] Check if the merge reference record still contains any MARC tags.
[5] Additional polishing: Simplify passing frameworks to template. Remove
an unused Koha::Authority::Types->search. Remove obsolete POD header
for functions from the script.
Test plan:
[1] Select two authorities to merge. Verify that you cannot select Default
anymore as framework for the reference record.
[2] Reproduce error WRONG_COUNT by adding another authid=999 in the URL
after you selected two authority records for merging.
[3] Remove the third authid from the URL and change the first or second
authid into an unexisting record id. You should generate an Internal
Server Error. The log should show the exception message.
[4] Merge two authorities. Deselect all MARC tags. Should trigger the
error EMPTY_MARC in the template.
[5] Select the same authority record twice for merging. Should trigger the
error DESTRUCTIVE_MERGE in the template.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Create a budget, add a fund
2) Delete budget. Notice this is successful and triggers no warning
message etc.
3) Go to Funds. Notice the funds appear as if they are not there
4) Go into mysql and view the aqbudgetperiods table - notice the funds
are still there and are now inaccessible.
5) Apply patch
6) Create a budget, add a fund
7) Attempt to delete budget. Notice you can't click Delete button.
Confirm number of funds in hover message is correct.
8) Delete fund
9) Confirm you can now delete budget.
Sponsored-by: Catalyst IT
Signed-off-by: Felix Hemme <felix.hemme@thulb.uni-jena.de>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Some code fixes
See Comment 5. Ready to test.
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Code fix
See comment 10.
Ready for testing.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Prevent deletion from forcing URL
This patch adds a check in the script for existing funds so that the
budget cannot be deleted when forcing the URL and has other small fixes.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Bug 18351: [FOLLOW-UP] Prevent deletion if funds are added after clicking 'Delete' and before confirming delete
Followed test plan and patch works as described.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Followup correcting a typo of previous patch :
name="holdingbranch" options = branche
it is branche[s]
Test plan :
- Look at 'Current location' in item search
=> Without patch you see only 'All libraries'
=> With patch you see 'All libraries' and each existing library, like in 'Home library'
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies multiple catalog-related pages in order to move
embedded JavaScript to the footer.
The JavaScript previously embedded in cat-toolbar.inc is moved to a
separate file (catalog.js).
To test, apply the patch and test JavaScript-driven interactions on all
modified pages, including JS which isn't page-specific (menus, help,
etc). The functionality of the catalog toolbar should be tested on each
page.
- Bibliographic detail pages (standard, MARC, labeled MARC, ISBD).
- Advanced search page
- Local cover image viewer
- Item search page
- Item detail page
- Search history page
- Checkout history page
https://bugs.koha-community.org/show_bug.cgi?id=17839
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Enable UseCourseReserves syspref
2) Go to Course Reserves
3) Add a new course if you don't already have one
4) Add an item to the course
5) Click 'remove' to delete the item from the course
6) Notice the item deletes straight away with no confirmation prompt
7) Apply the patch
8) Repeat steps 4 and 5
9) Confirm the confirmation box pops up and works as expected
Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Ensure UseCourseReserves is enabled
2) Go to Course Reserves, create a course
3) Edit course
4) Click Cancel
5) Notice you are returned to the courses home page rather than returned
to the course
6) Apply patch
7) Go to edit course and click cancel again
8) Confirm you are returned to the course and that this feels like the
natural expectation.
Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Go to Tools -> Clubs
2) Create a new club template if you do not already have one
3) Edit the template
4) Notice the URL is incorrect and the page is not found
5) Apply patch and go back to Clubs
6) Click edit button
7) Link should work as expected
Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the circulation template so that
itemBarcodeFallbackSearch results show in a modal window.
To test, enable the itemBarcodeFallbackSearch system preference and open
a patron's account in circulation.
- Submit a string which will return search results. When the page
reloads a modal should display showing a table of title search
results.
- Test the "Check out" button and confirm that the correct item is
submitted.
- Test closing the modal and re-displaying it using the new "Show
matching titles" button.
- Confirm that the "Add record using fast cataloging" button still
works correctly.
- Submit a string which will return no results. No modal window should
display, and only the "Add record" button should appear.
- Confirm that normal checkout works correctly.
- Test with itemBarcodeFallbackSearch disabled, and with a user who
lacks Fast Cataloging permission.
Revision removes a heading which was made redundant by the modal markup.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Same change as the first patch, but for the batch record
modification tool.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Changes the label from 'list of record numbers...' to
'List of biblionumbers or authority ids...' to make it
more clear to the user which kind of input is expected.
To test:
- Go to Tools > Batch record deletion
- Check the new description
- Decide if it's more clear or not
Signed-off-by: Marc Veron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Fixes misplaced columns introduced by previous patch and adds the "-" for phone
transport type.
To test:
1. Set SMSSendDriver system preference on
2. Go to intranet messaging preferences
3. By default you should see checkboxes for all messages for SMS
4. Ensure columns are not misplaced (pushing one column too much to the right)
5. Delete sms method from one of the messages in message_transports table
6. Observe that "-" is displayed instead of checkbox for that message for SMS
7. Repeat same for TalkingTechItivaPhoneNotification system preference.
By default it may not have transports in message_transports, so make sure
to assign some in order to have the checkboxes visible.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a note to the system preferences autonembernum and
BorrowerMandatoryFields regarding a conflict if automembernum is on
and BorrowerMandatoryFields contains cardnumber.
To reproduce issue: See initial comment.
To test:
- Apply patch
- Verify that in system preferences note appears with both prefs
automembernum and BorrowerMandatoryFields
Followed test plan, works as described
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch fills the column 'Collection' in item search from the item values.
To test:
- Go to item search
- Reproduce issue from initial comment
- Apply patch
- Verify that the column 'Collection' is filled
Still to do, but outside of my datatable skills:
Filter by drop down in the column header does a substring search.
Example: Filter for 'Fiction" returns both 'Fiction' and 'Non-fiction' items.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Laurence Rault <laurence.rault@biblibre.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
1. Create a patron category with the dateexpiry value of 29/9/2017
2. Create a patron user from that patron category (which I'll refer to as patron A) with the date
expiry value of 1/10/2017 and submit the form
3. Notice that the manual dateexpiry you have submitted is correctly
displayed
4. Create a duplicate patron with the same firstname and surname and
patron A, and set the date expiry value of 1/10/2017 and submit the form
5. The form displays a duplicate patron message. Notice that the dateexpiry input box is empty now
6. Select the new member (not a duplicate member) option in the
messagebox
7. The form successfully submits and notice that the date expiry value
displayed is that of the patron category (i.e. it is 29/9/2017) not the
dateexpiry value of 1/10/2017 that you manually set for this patron
8. Apply patch
9. Repeat step 4
10. The form displays a duplicate patron message. Notice the dateexpiry input box still
contains the value you entered which is 1/10/2017. Select the new member
(not a duplicate member) option in the messagebox
11. The form successfully submits and notice that the date expiry value
displayed is 1/10/2017 that you manually set for this patron
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Adds logic from the previous fix to the brief patron summary
shown when checking a possible patron duplicate.
Bonus: Also fixes missing patron category description there.
To Test:
- Add 2 patrons
- Add a patron with the same surname and firstname as an
existing patron in order to trigger the duplicate message
- Click "View existing patron"
- Verify display is correct when existing patron is
- an organisation
- not an organisation
- Verify that the patron category description shows
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Problem: A patron category "I" would cause display problems
on the details in the intranet. This is because the templates
confused patron category "I" with patron type "I" (organisation).
Patch:
- Cleans up variable confusion between categorycode and
categorytype.
- The template contained code to change the labels below
the address to 'Organisational phone:" etc., I have removed
this part as it does not match the edit form anymore.
- Initials, date of birth and gender are still hidden for
organisation - matching the edit form.
Bonus:
- The patron category description was missing on the
right and left side of the details tab. Now it displays.
- Fixes some html issues:
- doubled up class attribute in a tag
- doubled up </li></li>
To test:
- Create 3 patrons
- patron category code doesn't matter, but category type organisation
- patron category code 'I', category type NOT organisation
- patron category code NOT I, category type NOT organisaton
- Check details tab in patron account in staff for all 3
- Verify patron category description shows correctly
- Verify information added to the account displays correctly
(phone numbers, emails, ...)
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Works as outlined in test plan, search terms now appear at top as h1 as well
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1) Go to Admin -> search for a system preference
2) Notice your search stays in the search box (this is inconsistent with
search behaviour across Koha)
3) Apply patch and refresh page
4) Make another search
5) Confirm search still works as expected and search terms have been
cleared from search box
6) Confirm search terms show at the top of the results
Sponsored-by: Catalyst IT
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds status 'Damaged' to 'Information' 'Status' in the items
table on 'Place hold' page.
To test:
- Apply patch
- In staff client, try to place an item level hold for items with 'Damaged'
status.
- Verify that the status 'Damaged' appears in the column 'Information'.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The "Pay selected" option on the Fines tab in the borrower account page doesn't work as intended.
The fine on top of the list gets the amount deducted, even if another fine is choosen from the list.
Test Plan:
1) Create two or three fines, using the Create manual invoice function.
2) Choose one of the fines (not the one on the top) and click Pay selected
3) Pay a partial amount
4) Go back to the Pay fines tab an notice that the fine you selected has not changed. Instead, either the top fine or the total (see attachment) has ben affected.
5) Apply this patch
6) Repeat steps 1-3
7) Note the correct fine is paid
Signed-off-by: Andreas Hedström Mace <andreas.hedstrom.mace@sub.su.se>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a language selector menu to the top menu of staff client
similar to the OPAC.
Display of language selectors at top, bottom or both can be configured
with system preference StaffLangSelectorModer. It defaults to bottom.
To test:
- Apply patch
- Udate database
- Restart plack and memchached
- Go to staff client, verify that language selector displays at
the bottom of the page (as before)
- Go to system preferences, verify that there is a new preference
StaffLanguageSelectorMode (name similar to the sypref ror OPAC), and
that it is set to 'footer'
- Change mode for top, both and footer and verify, go to staff client
and verify for each that the language selector displays as appropriate
(Amended for comment #2 2017-06-02 mv)
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Serhij Dubyk {Сергій Дубик} <serhijdubyk@gmail.com>
The "by" after the title was not translatable in the result
lists of the intranet. This patch fixes it by removing
a comment, that caused a problem with the translation
scripts.
To test:
Test:
Before this patch in file en-GB-marc-MARC21.po present next paragraph:
msgid "by "
msgstr " by "
According string "by " in the file MARC21slim2intranetResults.xsl can not be translated (in other languages).
After applying this patch performed next command:
cd /usr/share/koha/misc/translator
sudo env KOHA_CONF=/etc/koha/sites/mykohainstance/koha-conf.xml PERL5LIB=/usr/share/koha/lib perl -I /usr/share/koha/lib "./translate" update
Now in the file en-GB-marc-MARC21.po present the following (modified) paragraph:
msgid "by "
msgstr " by "
https://bugs.koha-community.org/show_bug.cgi?id=17827
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The link is the same as the 'Add patrons' button in Actions dropdown,
but requires one less click, and makes finding the contents of the list
more obvious.
To test:
1) Go to Tools -> Patron lists
2) Create a patron list if you haven't already
3) Confirm that clicking the name of the list takes you to the correct
list and shows the expected content.
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
if club has no enrolled patrons
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If deleting the last club or template in a table, the row is deleted
from the webpage by ajax so the nice blue bubble message does not show.
This patch forces the page to reload so the blue bubble message shows
instead of the empty table.
To test:
Confirm that the blue message shows when tables are empty. Add a
template and a club, then delete a club. Confirm the page reloads and
the message shows. Test with template
Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch
1) Hides the club templates table if there are no club templates, shows
an appropriate message
2) Hides the clubs table if there are no clubs. Shows an appropriate
message for whether templates exist
3) Puts the actions in one column, or a dropdown menu
Sponsored-by: Catalyst IT
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Translation for koha-tmpl/intranet-tmpl/prog/en/includes/patroncards-errors.inc
contains a lot of (partial) template directives like:
%%]%s %sLayout: [%%
This patch fixes it
To test:
- Verify that code changes make sense
- Apply patch
- Create a translation (cd misc/translator , then: perl translate create aa-AA
- Verify that in po/aa-AA-staff-prog.po contains no fragments like %%] or [%%
for patroncards-errors.inc
- Try to get an error: Try a link like
http://[YOUR SERVER]/cgi-bin/koha/patroncards/create-pdf.pl?batch_id=1&template_id=999&layout_id=999&start_card=1
...where template_id and layout_id do not exist
(Amended for comment #2 2017-06-05 mv)
(Amended for comment #6 2017-08-02 mv)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In manage-marc-import.tt, we have an abbreviation:
<abbr title="Differences between the original biblio and the imported" lang="en">Diff</abbr>
In translations (e.g. German), the line appears as follows:
<abbr title="Unterschiede zwischen Originaltitelsatz und importiertem Titelsatz" lang="en">Diff</abbr>
The lang attribute is wrong here, it is still "en".
The text language is the same as defined at the top of the page - or with other
words, the lang tag is superfluous.
This patch removes it.
To test:
Verify that code change makes sense.
Passes QA test and the change is logical
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch removes entries like the following in translations of itemsearch.tt:
"[%% INCLUDE form_field_select name=\"homebranch\" options = branches "
"empty_option = \"All libraries\" %%] [%% INCLUDE form_field_select name="
"\"holdingbranch\" options = branches empty_option = \"All libraries\" %%] %s "
"[%% INCLUDE form_field_select name=\"location\" options = locations "
"empty_option = \"All locations\" %%] %s "
New patch on top of Bug 18633 that resolves parts of initial comment.
To test:
- Verify that in itemsearch.tt no tt directives are splitted by new lines
(search for [% INCLUDE )
- Verify that itemsearch.tt works as before
Followed test plan and verified that tt directives are not split by new
lines, the changes to the fieldset tags in comment 3 have been removed
and itemtype.tt still works correctly as before
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Translation tool shows toe following for ncertainprice.tt
0; url=[% scriptname %]?booksellerid=[% booksellerid %]
This patch fixes it.
To test:
- Apply patch
- Verify that code change makes sense
- Verify that Home > Acquisitions > [vendor] > Uncertain prices for [vendor]
works as before
- Additional test (for a langunage 'aa-AA')
perl translate create aa-AA
verify that line 41 no longer appears in aa-AA-staff-prog.po
Amended to switch from BLOCK to a template variable, see comment #5
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
New patch without trailing IF construction in tt directives as
requested in comment #28
To test: Verify that translation tool no longer shows tt directives as
described in comment #1
New patch, needs SO.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Remove
[% BLOCK txt_continue %]Continue to the next step[% END %]
...and restore original text
See comment #19 and comment #20
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The new web installer for 17.05 has a great new design - but it has a lot of
translatability issues. Some strings are not picked for translations,
some expose the content of tt directives, and others are splitted by
html tags, resulting in small text fragments that are not easy to translate.
This patch weeds out such translation problems for step1.tt, step2.tt and
step3.tt
To test:
- Apply patch (on top of Bug 18665 because of html tags inside of
tt directives in step2.tt)
- Prepare a fresh install (drop database, create database)
- Walk through the installation process and verify that it works as before
- Verify that string changes (in English) make sense
- Create a translation( cd misc/translator, then perl translate create aa-AA)
then: vim po/aa-AA-staff-prog.po and search for: /installer\/step
Verify that strings for step1.tt, step2.tt, step3.tt are not fragmented,
do not contain [%%, and are easily translatable (make sense without having
to search in source files for context).
(Amended to remove some superfluous chomps 2017-06-27 mv)
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To Test
1. Hit the page /cgi-bin/koha/patron_lists/lists.pl
2. Click on new patron list
3. Add a text in the field Name that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed in both the pages list.pl and list.pl?patron_list_id=xx
xx is patronlist id
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped
Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To Test
1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form
2. Add a text in the field Basket name, Internal note, Vendor note that contains java script
3. Save the page
4. Notice js is execute
5. Apply patch, reload, js is escaped.
Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To Test
1. Hit the page /cgi-bin/koha/admin/branches.pl?op=add_form_category
2. Add a text in the field Name and description that contains js.
3. Save the page.
4. Notice js is execute
5. Apply patch and reload, the js is escaped
Fixed for js escaped execute for both pages
1. /cgi-bin/koha/admin/branches.pl?op=delete_confirm&branchcode=xx
xx is branchcode
2. /cgi-bin/koha/admin/branches.pl?op=add_form with Group(s):
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid.
5. Notice it is no longer executed.
NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To Test
1. Hit the page /cgi-bin/koha/tools/holidays.pl
2. Select the date
3. Add a text in the field Title and Description that contains js
4. Save the page.
5. Notice js is execute
6. Apply patch and reload, the js is escaped
Fixed for all holidays
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/acqui/basket.pl?basketno=xx<script>alert('amit')</script>
xx - is a basketno
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/acqui/basket.pl?basketno==xx<script>alert('amit')</script>
xx - is a basketno.
5. Notice it is no longer executed.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/admin/z3950servers.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search Z39.50/SRU servers box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search Z39.50/SRU servers box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/admin/cities.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search cities box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search cities box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/admin/categories.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search patron categories box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on search patron categories box.
6. Notice it is no longer executed.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/labels/spinelabel-home.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> barcode text box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on barcode text box.
6. Notice it is no longer executed
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/tools/batchMod.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/tools/batchMod.pl?del=1
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1. Hit /cgi-bin/koha/tools/batch_delete_records.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Record number list (one per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Record number list (one per line) text area.
6. Notice it is no longer executed.
7. Fixes for both biblio and authority records.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
