This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This only pertains to the second (Processing) tab.
Test plan:
[1] Have one entry in Pending and zero in Processing.
[2] Click on Processing tab.
[3] Without this patch, you would see Select all/Clear all.
With this patch, you won't.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The repeated prompts for cancelling multiple selected items are
confusing.
The wording is slightly adjusted. The reason is asked only once per
group of selected items.
Test plan:
Create three requests.
Select two requests and cancel (from top menu) for reason A.
Cancel third request (from item menu) for reason B.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch makes a couple of minor interface changes and updates the way
checkbox change events are handled:
- jQueryUI tabs initialization sets a variable for "active table" which
can be re-used by functions which affect only the visible table.
- The batch "Actions" menu is shown or hidden based on whether there
are checked items.
- The item selection tools are shown or hidden based on whether there
are rows in the table.
To test, apply the patch and test various article request actions:
- Single "process," "complete," and "cancel" operations.
- Select all/ clear all operations on both tabs.
- Batch operations with checked requests.
- Process all pending requests to confirm the selection controls for
that table are hidden.
- Complete all processing requests to confirm the selection controls
for that table are hidden.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Adds a column with a checkbox. Adds buttons under the table for Select,
Clear and Actions menu.
An additional javascript function HandleMulti is placed between the form
and the functions handling individual requests.
Note: The Actions menu below does not contain Print slip. This does not
work in its current form. This could be handled on a separate report.
Test plan:
[1] Enable Article Requests. Add a few requests.
[2] Test the Select all / Clear all functionality on the form.
[3] Verify that the menu options Process, Complete and Cancel work as
expected both from the individual Actions menu as from the shared
Actions menu for selected requests.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Patch applies and functions as described.
Signed-off-by: Dilan Johnpullé <dilan@calyx.net.au>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates two single-column circulation templates to
use the Bootstrap grid.
- circulation-home.tt - Circulation home page. This patch corrects what
appears to have been a long-broken three-column layout.
- article-requests.tt - Article requests list. Turn on the
ArticleRequests system preference if necessary. Go to Circulation ->
Article requests.
Each of these pages should look correct, with a single centered column
with wide margins on either side. At lower browser widths the margins
should disappear.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
From where patrons it's about patrons, we do not want to display the libraries
from all the system, but only the ones from the group.
Test plan:
- See the overdues (circ/overdue.pl) and make sure you can only see overdues from
patrons part of your group (do not forget to test the CSV export).
- Search for patrons, the 'library' filters (headers and left side) should only
display libraries from your group
- Search for article request by patron's library: only the libraries from your
group should be displayed
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies some staff client circulation templates so that
JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
- Article requests (enable ArticleRequests system preference, have at
least one outstanding article request)
- Request article (Bibliographic detail page -> Request article).
- Item circulation statistics (Bibliographic detail page -> Items ->
View item's checkout history).
- On-site checkouts (enable OnSiteCheckouts system preference; Check out
some items as on-site checkouts; Go to Circulation ->
Pending on-site checkouts
- Overdues report (Circulation -> Overdues).
- Holds to pull (Circulation -> Holds to pull).
- Renew
- Holds ratios (Circulation -> Holds ratios).
- Check in
- Transfers to receive (Circulation -> Transfers to receive).
- Holds queue (Circulation -> Holds queue).
- Holds awaiting pickup (Circulation -> Holds awaiting pickup).
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Confirm that I have not missed any places where there is 'loading-small.gif'
Have amended patch to not include OPAC changes from previous patch.
Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
- Fixes typo "Recieve" in the sample notices
- Adds new notices to it-IT installer
- Turns off feature for existing installations, leaves it
on for new installations
- Fixes typo "cancelation"
- Fixes ids in <body> of new pages
- Adds/fixes classes in th elements of tables
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jennifer Schmidt <jschmidt@switchinc.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>