Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
1) Go to Admin -> search for a system preference
2) Notice your search stays in the search box (this is inconsistent with
search behaviour across Koha)
3) Apply patch and refresh page
4) Make another search
5) Confirm search still works as expected and search terms have been
cleared from search box
6) Confirm search terms show at the top of the results
Sponsored-by: Catalyst IT
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1 - Apply patch and update dabase
2 - Check that Search the Catalog links throughout the staff interface
have not changed
3 - Set "IntranetCatalogSearchPulldown" to 'Show'
4 - Verify that 'Search the catalog' links through staff client now have
a dropdwon to select search index
I think viewing one file each that includes updated header should be
sufficient, but please check as many as you can:
cgi-bin/koha/admin/aqbudgetperiods.pl
cgi-bin/koha/admin/admin-home.pl
cgi-bin/koha/cataloguing/addbooks.pl
cgi-bin/koha/circ/returns.pl
cgi-bin/koha/circ/circulation-home.pl
cgi-bin/koha/admin/cities.pl
cgi-bin/koha/admin/aqcontract.pl
cgi-bin/koha/admin/currency.pl
cgi-bin/koha/mainpage.pl
cgi-bin/koha/tools/letter.pl
cgi-bin/koha/members/members-home.pl
cgi-bin/koha/admin/categories.pl
cgi-bin/koha/admin/preferences.pl
cgi-bin/koha/admin/printers.pl
cgi-bin/koha/serials/serials-home.pl
cgi-bin/koha/acqui/newordersuggestion.pl
cgi-bin/koha/admin/z3950servers.pl
Sponsored by:
Northeast Kansas Library System (http://nekls.org/)
Signed-off-by: Heather Braum <hbraum@nekls.org>
Signed-off-by: Barton Chittenden <barton@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of "onclick" from all header search forms for
the purpose of triggering the "keep_text" function. This behavior is now
handled in the globally-included JS file.
To test, apply the patch and clear your cache if necessary.
- Enter text in any header search form field. Click to each other tab
in the header and confirm that your text is copied to each.
- Test the behavior of the header search form on at least one page where
each is included:
- The staff client home page
- The advanced search page
- The authorities home page
- The administration home page
- The cataloging home page
- The checkin page
- The circulation home page
- The patrons home page
- Acquisitions -> Vendor -> Contracts
- Administration -> Cities
- Administration -> Currencies and exchange rates
- Administration -> Patron categories
- Administration -> Printers (why is this page still around?)
- Administration -> System preferences
- Administration -> Z39.50/SRU servers
- Tools -> Notices & slips
This patch modifies does not fix the existing (unreported) bug which
prevents the keep text function from working in the include file used on
these pages:
- Acquisitions -> Vendor -> Basket -> New order from suggestion
- Administration -> Budgets
- The serials home page
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
I have only changed this in the includes for the tabs at the top.
Dependent on Bug 12051 as that patch adds extra tabs to the top which would need to be changed later
To test:
1) Apply Bug 12051 first, then this patch
2) Ensure that Check Out/Check In/Renew tabs still work as they should
3) Check patch for errors or pages I've missed
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
Revert "DBRev to make notes of the XSS patches and the new important dependency."
This reverts commit e140603a59.
Revert "Bug 13618: Specific for branches.opac_info"
This reverts commit 06e4a50f00.
Revert "Bug 13618: (follow-up) Specific for other prefs"
This reverts commit d6475a111f.
Revert "Bug 13618: Fix for debarredcomment and patron messages"
This reverts commit dd98c9df92.
Revert "Bug 13618: Do not display html tags in patron's notices"
This reverts commit a065b243fe.
Revert "Bug 13618: Do not display and html tags in item fields content"
This reverts commit baeeaffbf8.
Revert "Bug 13618: Fix for system preference description"
This reverts commit a967a09261.
Revert "Bug 13618: Remove html filters for newly pushed code"
This reverts commit 0e98662b10.
Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"
This reverts commit fc2fb605e5.
Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"
This reverts commit bc308fdd9c.
Revert "Bug 13618: Fix for edit biblios and items"
This reverts commit 811c4e8402.
Revert "Bug 13618: followup to remove tabs"
This reverts commit ca8e8c397c.
Revert "Bug 13618: Fix last occurrences recently introduced to master"
This reverts commit bb417b256b.
Revert "Bug 13618: Fix for news"
This reverts commit ae5b98020a.
Revert "Bug 13618: Fix escape on sending baskets or shelves by email"
This reverts commit a7731ffe25.
Revert "Bug 13618: Specific for XSLTBloc"
This reverts commit 11fa38dc29.
Revert "Bug 13618: Specific for Salutation on editing a patron"
This reverts commit 36c07ad6d3.
Revert "Bug 13618: Specific for other prefs"
This reverts commit e6ea281a3b.
Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"
This reverts commit 7824874557.
Revert "Bug 13618: Specific for ColumnsSettings"
This reverts commit 1834da3da3.
Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"
This reverts commit 21ae62b253.
Revert "Bug 13618: Fix error 'Not a GLOB reference'"
This reverts commit 602bdbab4c.
Revert "Bug 13618: Specific for the ISBD view"
This reverts commit d254362435.
Revert "Bug 13618: Specific for pagination_bar"
This reverts commit 8837a8ae68.
Revert "Bug 13618: Specific places where we don't need to escape variables - intra"
This reverts commit 00eff140b3.
Revert "Bug 13618: Remove html filters at the intranet"
This reverts commit 7db851ff03.
Revert "Bug 13618: Specific places where we don't need to escape variables"
This reverts commit 49a3738b8d.
Revert "Bug 13618: Remove html filters at the OPAC"
This reverts commit cedaa0e23e.
Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"
This reverts commit 01b38d3b13.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch removes code related to stopwords usage. The following methods are removed:
C4::Search->remove_stopwords
C4::Context->stopwords
C4::Context->_new_stopwords
And the buildQuery API was changed (removed the \@removed_stopwords return value).
A follow-up is provided for database changes, to make rebasing easier.
To test:
- Apply this patch
- Do some searches in both intranet and opac interfaces
- Nothing should break
Sponsored-by: Universidad Nacional de Córdoba
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
Apply the patch and see that the text now is there in the search
box when clicking the tabs: check in, check out etc..
(More files changed for persistent text in searchbox)
Sponsored-by: Halland County Library
Signed-off-by: Magnus Enger <magnus@enger.priv.no>
This is something I have wanted quite a few times over the years...
Tested by going to every main area of Koha, entering some random
text into the search box and then clicking on all the available tabs
to check that the entered text is carried over to all the boxes.
There are a couple of places where text is not carried over, but I
guess that might be because one of the boxes is structurally
different to the others. These are:
- "Vendor search" and "Orders search" in Acquisitions
- "Search subscriptions" in Serials
I have not looked at how this is implemented, just that it works as
it should.
Bug 14189 refactor after failed QA.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Amended patch: replace tabs with spaces
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This bug enables accented/diacritic system preference text to be matched
when searching for sysprefs.
Signed-off-by: wajasu <matted-34813@mypacks.net>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Current jQuery-driven tabs are done using a very old
version of the tabs plugin. This patch upgrades jQueryUI
to the latest version and adds the tabs widget dependency
to the jqueryui js file and updates the syntax for existing
tabs:
- $("#foo > ul").tabs(); changes to $("#foo").tabs();
- Remove full URL from tab links (use #anchor only).
Pages with "static" tabs (tabs which are built in the
markup rather than generated by the plugin) have been
modified to use their own style. Examples: pay.tt in
the staff client and opac-readingrecord.tt in the OPAC.
Edit: Minor revision to some uncorrected markup
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Omnibus of changes thus far:
adds slight transparency for news so logo shows through on mainpage..
Fixes purple header gradient in Chrome-based browsers.
remove list from returns.tt options so checkboxes do not have bullets.
fix missing gradient class on returns.tt.
reverse colors of menu div - blue for inactive, grey for active.
turns searchheader blue, rounds corners, improves spacing for sort form.
Adds padding, rounded corners, and a 1px border to the now-blue toolbar.
increase width of intranet nav div to width 40%
add a bit of padding to #searchheader
fieldset.action changes - removed background, added a little padding to make it look better in all of the uses I could find of it.
Bug 7998 - followup - make facets header background blue
bug 7998 - followup - fixing headers on search.pl to be blue, rounded.
bug 7998 - followup - consistency tweaks
match menu borders to the search header tabs (green border)
hover menus a very light grey instead of #eee.
make fieldset.brief have a consistent border with the rest of the fieldsets.
bug 7998 - followup - more tabs/borders updating to fit in new look
boraccount.pl
bug 7998 - followup - add gradient div to prefs-admin-search.inc
Bug 7998 - Change toolbar to be lighter, with barely discernible border
Will need to be applied after the other patch.
Bug 7998 - add gradient to roadtype admin panel
Bug 7998 - adds gradient to patrons-admin-search.tt
Bug 7998 - add gradient to budgets-admin-search.inc
bug 7998 - add gradient to z3950-admin-search.inc
Bug 7998 - add gradient to cities-admin-search.inc
bug 7998 - active tab on checkout table now has green border like side menu
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>