This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
1. body tag was missing
2. make "Date" column sortable correctly
3. remove CDATA and type="text/javascript"
4. Handle server-side errors
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
3. In the JS console: "ReferenceError: $ is not defined", I did not
investigate it.
Where do you see this in the console? I cannot recreate on opac-user.pl
or on circ/checkout-notes.pl.
5. The alert id=error is displayed then hide in JS, but it's then
displayed half a second. We should hide it by default (css)
Fixed in this patch
6. I would move the "mark seen" and "mark not seen" buttons at the
top of the table
Fixed in this patch
8. Cursor on "Select all" and "Clear all" links must be adjusted
Fixed in this patch
9. $(".btn-xs").click(function(event){
The selector should be $("button.seen, button.notseen"), you
do not want to apply this function to all other btn-xs on
the page (maybe there are only two for now, but who knows
later?)
Fixed in this patch
12. Important: When a note is updated, it's still marked as
seen. Is it the expected behavior?
I don't see this behaviour. When a note is updated it is
marked as not seen.
opav/svc/checkout_notes:79: $issue->set({ notedate =>
dt_from_string(), note => $clean_note, noteseen => 0
})->store;
13. What will happen when hundred of notes will be on this
table? Not blocker but we will need a "hide seen" buttons to
filters the already seen notes.
Added in this patch
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch includes some changes required on comment 57:
1. Bad resolution conflict, permission self_checkout is re-add
2. The IGNORE modifier is missing in the INSERT statement
4. When I hit /circ/checkout-notes.pl from the side bar, the page displays "Checkout notes", nothing else. We should add "There is no checkout notes".
7. I would display the table on the confirmation screen as well
10. html filters are missing
11. span element should surround translatable string, to help translators
14. patron-title.inc must be used to display patron's info
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Fixing the comments in Comment 42
Ready to test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
See Comment 27
This is ready to be tested.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Marcel, can you please have a look at this patch. I tried to implement
the change
my @notes = $schema->resultset('Issue')->search({ 'me.note' => { '!=', undef } }, { prefetch => [ 'borrower', { item => 'biblionumber' } ] });
to
my @notes = Koha::Checkouts->search({ 'me.note' => { '!=', undef } }, { prefetch => [ 'borrower', { item => 'biblionumber' } ] });
but am having problems on the template side. I can access the item and
biblio information about the issue, but not the borrower information,
even though the query is definitely pulling it correctly. Any
suggestions or ideas as to why this breaks?
This patch also adds the implementation of the circSidebar.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds a user permission for managing issue notes, and a 'noteseen'
column to the issues table.
To test:
1) Apply Bug 14224 first
2) Apply this patch, update database, rebuild schema.
3) Restart koha-common and memcached
4) Turn on AllowCheckoutNotes syspref if haven't already
5) Issue two items to two different users (one item each)
6) Log into the OPAC as one of the users and add an issue note to their
issue
7) Log out and log back into the OPAC as the other user
8) Disable Javascript
9) Refresh opac-user.pl
10) Leave a checkout note on their issue
11) Enable javascript and log into the Staff Client as a superlibrarian
user
12) Go to your user's account and edit their permissions to have
everything ticked EXCEPT circulate->manage checkout notes.
13) Go to main intranet page. There should be no message saying
'checkout notes pending'.
14) Go to circulation home page. There should be no link to Checkout notes.
15) Go back to user's permissions and tick circulate->manage checkout notes.
16) Go back to main intranet page. There should now be a message at the
bottom saying 'Checkout notes pending: 2'
17) Go to circulation home page. There should be a link to Checkout notes
with a 2 next to it. Click this link
18) Attempt to mark an checkout note as seen. This should update the status
of the checkout note to 'seen' and disable to 'mark as seen' button while
enabling the 'mark as not seen' button.
19) Test both buttons with both issues.
20) Test select all and clear all buttons
21) Confirm that buttons at the bottom are only enabled if a checkbox is
checked
22) Try selecting both issues and using the buttons at the bottom to
mark multiple issue notes at once.
23) Confirm the barcode link to the item works as expected.
24) Confirm the cardnumber link to the user works as expected.
25) Confirm all table details show correctly.
Sponsored-by: Catalyst IT
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amended patch: Remove self-checkout permissions
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
