Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client's rotating collections templates so
that JavaScript is included in the footer instead of the header.
The patch moves JavaScript from each template and the rotating
collections toolbar into a single external JavaScript file.
To test, apply the patch and test the JavaScript-driven features of
each page: All button controls, DataTables functionality, form
validation, etc.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.
In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.
To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:
- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.
Revised: I intended for this to be built on top of Bug 15883. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883
Works as described, all pages on test plan
No Errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
1) Go to Tools -> Rotating Collections
2) Confirm actions (Add or remove items, Transfer, Edit, Delete) have moved into a drop down menu
3) Confirm all of the actions work as expected
Sponsored-by: Catalyst IT
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
The previous patch for adding a confirmation dialog didn't work to make
the confirmation message translatable. This alternate patch uses a
progressive-enhancement method recycled from Guided Reports to trigger a
warning and highlight the row which was clicked.
To test, apply the patch and try to delete an existing rotating
collection. You should get a confirmation dialog, and the corresponding
row in the table should be highlighted red.
Clicking cancel should cancel the deletion. Clicking OK should complete
the deletion.
To test the translatability of the confirmation message:
Run perl translate update [a language code, e.g. 'en-GB']
Search [lang]-i-staff-t-prog-v-3006000.po for the message string
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
This follow-up makes drastic changes to the templates in order to bring
them into compliance with established patterns and markup guidelines.
Only minor changes are made to perl scripts.
Changes:
- Add a toolbar include for displaying new, edit, transfer, and delete
buttons.
- Improve title and breadcrumbs with collection titles and better
specificity.
- Correct page structure which was inconsistent with the markup of
similarly-structured pages.
- Correct styling of error and informational messages.
- Added detailed error messages for a couple of conditions which were
not defined in the template.
- Add link to the detail page of titles which are in a collection using
the view defined in the IntranetBiblioDefaultView preference.
- Add a link to remove an item from a collection directly without having
to scan the barcode.
- Add client-side validation to collection creation form.
- In RotatingCollections.pm, add biblionumber to the list of columns
returned by GetItemsInCollection.
- In rotating_collections/*.pl, remove obsolete declaration of system
preference variables.
To test, perform all the operations associated with Rotating
Collections:
- Add a new collection
- Edit an existing collection
- Add items to a collection
- Remove items from a collection (via barcode and link)
- Test the behavior of all new toolbar buttons
- Verify that titles and breadcrumbs look correct and links work
correctly.
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
This is the last one - adding the classes and ids to the report module and
some template files for smaller moduls/functions.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
