Commit graph

8 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Marc Véron
953504a076 Bug 18682 - Translatability: Get rid of [%% in translation for 2 files av-build-dropbox.inc
Two files av-build-dropbox.inc has linebreaks inside template directives,
 exposing internals (comments and tt code) to translations as mentioned
in initial comment.
Translators should not be confronted with such interal code.

This patch fixes it.

To test
- Verify, that code changes make sense and have no more line breaks insied
  tt directives.
- Run QA tools in newest version (checking for line breaks inside tt
  directives)
- Bonus test: Create a "language" aa-AA (perl translate create aa-AA
  from folder misc/translator, verify that lines mentioned above do
  no longer appear in aa-AA-staff-prog.po and in aa-AA-opac-bootstrap.po

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-06-05 16:35:56 -03:00
7dad38e88f Bug 17847: Replace C4::Koha::GetAuthvalueDropbox with Koha::AuthorisedValues
The C4::Koha::GetAuthvalueDropbox subroutine does the same job as
Koha::AuthorisedValues->search
We should then replace the different calls to this subroutine to finally
remove it.
There were 2 calls to this subroutine:
- from the AuthorisedValues TT plugin (called from av-build-dropbox.inc
and members/housebound.tt)
- from the acqui/ajax-getauthvaluedropbox.pl ajax script

To make sure that this patchset does not introduce regressions, we will have
to test that the TT plugin and the ajax script still behave as before.

Test plan:
1/ Test acqui/ajax-getauthvaluedropbox.pl
- Link a fund to an authorised value category
- Create a new order
=> When you select a fund linked to AV category, the sort1 (and/or
sort2, depending on what you set) should be replaced with a dropdown
list populated with the authorised values
2/ Test av-build-dropbox.inc
- Create some authorised values for Bsort1
- Edit a patron
=> The sort1 should be a dropdown list populated with the Bsort1 AV
3/ Test members/housebound.tt
- Enable the housebound module (pref HouseboundModule)
- On the patron detail page, click on the "Housebound" tab
=> The frequency dropdown list should be populated with the different
HSBND_FREQ AV

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-31 10:12:37 +00:00
613c83f4e3 Bug 17300: Fix serials search
Since bug 16157, the location value is always "All" and the serial
search won't return anything.

Test plan:
Search for some serials.
Without this patch, it won't return any results
With this patch applied, the result search should be consistent

Reproduced with serial's "Advanced search" and search filter in
left hand column. Fixed by this patch.
Signed-off-by: Marc <veron@veron.ch>

Advanced search works fine again.
Signed-off-by: Andreas Roussos <arouss1980@gmail.com>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-25 13:46:21 +00:00
b64e6be1c4 Bug 16157: Move the selected flag from GetAuthorisedValues to the templates
From C4::Koha::GetAuthorisedValues

    # TODO: the "selected" feature should be replaced by a utility function
    # somewhere else, it doesn't belong in here. For starters it makes
    # caching much more complicated. Or just let the UI logic handle it, it's
    # what it's for.

Indeed, it's not a job for a subroutine, the template should take care of that.
Note that a perf gain could be won with this patch \o/

Test plan:
- Edit an itemtype and check the value of the "Search category" dropdown list
- Edit a patron attribute type and check the value of the "Class" dropdown list
- Detail for a catalogue record, the Status column should be correctly
  populated if items are damaged and/or lost
- Item details for a catalogue record, the lost, damaged and withdrawn
  value should be correctly displayed
- Edit a patron, the "street type" should be correctly selected
- Create a patron attribute type linked to an authorised value list.
- Edit a patron, set a value for this attribute, edit it again. The
  correct value should be selected.
- Search for subscriptions. The 'Location' dropdown list should behave
  correctly (select the entry you have choosen before, etc.)
- Edit a subscription, the location dropdown list should select the
  correct value.
- Edit and view a suggestion with a 'reason for suggestion' set (you
  should have at least 1 OPAC_SUG AV defined)

Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-04-07 00:16:09 +00:00
Galen Charlton
ea543fdee0 Bug 766: (follow-up) improve usage comments in new TT include
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-04 23:11:34 +00:00
Jonathan Druart
cfcdc1c4dd Bug 766: (follow-up) fix encoding issues
This patch deals with the current master code. It should be removed when
patches for bug 11944 will be pushed.

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
No side effects.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Fixes encoding problem, until this can be resolved properly.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-04 23:05:24 +00:00
Jonathan Druart
e33a016a1c Bug 766: Use a TT include instead of a method in the AV plugin
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
This gives a koha-qa error, but on another user/env not.
Really don't know

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
I see the same error, but can't see where this is coming from,
code seems to work ok.
Works as described, no regressions found.

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2014-05-04 23:04:35 +00:00