This patch modifies several templates in order to eliminate the
dependency on an image file for styling certain links which open popups
or new windows. A Font Awesome icon is used instead.
To test, apply the patch and rebuild the staff client CSS
(https://wiki.koha-community.org/wiki/Working_with_SCSS_in_the_OPAC_and_staff_client).
Cataloging:
- Create a new MARC record which has the same ISBN as a record in your
catalog.
- When you save the record it should warn you that it is a possible
duplicate. The message should contain an icon-prefixed link to the
existing record.
- Clicking the link should open details about the title in a new
window.
Circulation:
- Enable the itemBarcodeFallbackSearch system preference.
- Open a patron for checkout and enter a word in the "barcode" field
instead of a barcode.
- The page should return a list of titles to choose from. Each title
should be a link with an icon. Clicking the link should open details
about the title in a new window.
Acquisitions:
- Go to Acquistisions -> Vendor -> Basket.
- Choose "Add to basket" -> From an external source.
- Search for and select a record which exists in your catalog.
- You should be taken to a page with a "Duplicate warning" message. The
message should contain an icon-prefixed link to the existing record.
- Clicking this link should open details about the title in a new
window.
- Create a MARC file with two records: One which exists in your catalog
and one which doesn't. Stage that file for import.
- Choose "Add to basket" again and select "From a staged file."
- Select the file you staged.
- You should be taken to a page with a "Duplicate warning" message. The
message should contain an icon-prefixed link to the existing record.
- Clicking the link should open details about the title in a new
window.
Patrons:
- Create a new patron which has the same name and birthday as an
existing patron.
- When you save the record you should be shown a duplicate warning. The
link to the possible duplicate patron should be prefixed with an icon
and should open the patron's details in a popup window.
Signed-off-by: Maryse Simard <maryse.simard@inlibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch modifies several acquisitions templates to use the Bootstrap
grid instead of YUI.
This patch also removes obsolete "text/javascript" attributes from
<script> tags in the modified templates.
To test, apply the patch and view the following pages, confirming that
they look correct at various browser widths:
- Acquisitions -> Vendor -> Add to basket -> From an existing record ->
Search results.
- Order
- Acquisitions -> Vendor -> Add to basket -> From a subscription
- Acquisitions -> Vendor -> Add to basket -> From a suggestion
- Acquisitions -> Vendor -> Add to basket -> From an external source
- Search for an title which already exists in your catalog
- Select a search result which has an ISBN matching the title in your
catalog.
- Order. The duplicate warning page is the one modified.
- Acquisitions home page -> Click an "Ordered" value for a fund.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This is the first patch for bug 7760 and touches all pages in acquisitions.
This adds a unique id "acq_<filename>" and a class "acq" to the body tag of
each page in acquisitions.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
