This patch upgrades TinyMCE in the staff interface from 5.0.16 to 5.9.2.
Other than the required TinyMCE package files, the only other change is
to the internationalization include file, which is updated to include
the latest set of strings for translation.
To test, apply the patch and clear your browser cache if necessary.
Test that the TinyMCE editor works in the staff interface:
- In system preferences, with the UseWYSIWYGinSystemPreferences
preference enabled: IntranetCirculationHomeHTML,
IntranetmainUserblock, IntranetReportsHomeHTML, etc.
- Additional contents, with the AdditionalContentsEditor preference
set to "WYSIWYG."
- Administration -> Libraries, in the "OPAC info" field.
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If you look at Bug 24764 and Bug 26942 we adjusted the TinyMCE for the News tool so it will not do some types of automatic code clean up.
The TinyMCE editor for system preferences which can be enabled by 'UseWYSIWYGinSystemPreferences' has the same problems.
We should make the configurations the same.
To Test:
1. Turn on 'UseWYSIWYGinSystemPreferences'
2. Go to a system preference like 'RestrictedPageContent'
3. Try entering something like '<i class="fa fa-facebook-official" aria-hidden="true">TEST</i>' in the Source Code window
4. It gets cleaned up by the editor
5. Try something like '<a href="https://www.test.com" referrerpolicy=""no-referrer-when-downgrade">TEST</a>'
6. It's cleaned up by the editor.
7. Try something like '<link href="https://fonts.googleapis.com/css?family=Open+Sans” rel=“stylesheet">'
8. Cleaned up by editor.
9. Apply patch
10. Try step 3, 5, and 7 again.
11. It should not be changed by the editor
Signed-off-by: Barbara Johnson <barbara.johnson@bedfordtx.gov>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
1 create a report 1 if it doesn't exist
2 open /cgi-bin/koha/tools/koha-news.pl
3 create a news
4 add a HTML link with Insert/Edit link tinyMCE dialog box to
/cgi-bin/koha/reports/guided_reports.pl?reports=1&phase=Run%20this%20report "report 1"
5 save
6 on the main page "report 1" link returns a 404 error
Apply patch
7 Modify news' URL
8 Test it works in: tools/koha-new.pl admin/branches.pl and admin/preferences.pl
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds HTML comments to Template::Toolkit include files which
contain <script> tags so that it is clear where the embedded scripts can
be found in the code.
To test, apply the patch and view source on the following pages to
verify the presence of the comments:
Acquisitions home page:
- acquisitions-toolbar.inc
- validtor-strings.inc
- js_includes.inc
- format-price.inc
Acquisitions -> Add order from new record,
Acquisitions -> Receive order:
- additem.js.inc
Cataloging -> Add/Edit item:
- columns_settings.inc
- strings.inc
- select2.inc
- calendar.inc
- str/cataloging_additem.inc
Authorities home page:
- authorities_js.inc
Bibliographic detail page:
- catalog-strings.inc
Cataloging -> Advanced editor:
- cateditor-ui.inc
- cateditor-widgets-marc21.inc
Administration -> Item types:
- greybox.inc
ILL requests:
- ill-list-table-strings.inc
Web installer
- installer-intranet-bottom.inc
Web installer -> Onboarding
- installer-strings.inc
Lists -> List contents -> Merge records
- merge-record-strings.inc
Patrons -> Patron -> Change password
- password_check.inc
- str/members-menu.inc
Patrons -> Patron -> Print summary
- slip-print.inc
Circulation -> Check out
- timepicker.inc
Administration -> System preferences:
- str/tinymce_i18n.inc
- wysiwyg-systempreferences.inc
Cataloging -> Z39.50 Search:
- z3950_search.inc
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch updates the TinyMCE editor to the latest version (5.0.16) and
adds a translatable include file which will allow the TinyMCE interface
to show the same translation as Koha.
The configuration of the editor has been updated according to the new
version's requirements, keeping all the tools available we had before
and adding emoji support.
To test, apply the patch and enable the UseWYSIWYGinSystemPreferences
system preference.
TESTING THE UPGRADED EDITOR
- Go to Administration -> System preferences -> OPAC.
- Multiple instances of the TinyMCE editor should appear on the page:
opaccredits, OpacCustomSearch, OpacLoginInstructions, etc.
- Test adding and editing content to one or more of these editors.
Confirm that the various editor tools work correctly.
- Verify that changing the contents of any editor (including via paste)
enables the corresponding "Save all X preferences" button.
- Test the news editor under Tools -> News.
- Test the library "OPAC info" editor in libraries administration:
Administration -> Libraries -> Edit library -> OPAC info.
TESTING TRANSLATABILITY
- Update a translation:
> cd misc/translator
> perl translate update fr-FR
- Open the corresponding .po file for the staff client, e.g.
misc/translator/po/fr-FR-staff-prog.po
- Locate strings pulled from includes/str/tinymce_i18n.inc for
translation, e.g.:
#. SCRIPT
#: intranet-tmpl/prog/en/includes/str/tinymce_i18n.inc:1
#, fuzzy
msgid "File"
msgstr "Fichier :"
- Edit the "msgstr" string however you want (it's just for testing) and
remove the "fuzzy" line.
- Install the updated translation:
> perl translate install fr-FR
- Go to Administration -> System preferences -> OPAC.
- In each instance of the TinyMCE editor, the first menu item should
have as its label the translation "msgstr" string you edited.
- Check that the "About" page shows updated information about
the TinyMCE version, 5.0.16.
Signed-off-by: Michal Denar <black23@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
When using the WYSIWYG editor for system preferences, the editor only
updates the textarea element if the content is different from the
original content. This means if you change a system preference and
then change it back to the original content, the textarea will have
the 2nd last change you made.
This patch removes the TinyMCE.isDirty() check, which was responsible
for comparing the original and changed content. Every input/keydown/dragend
or TinyMCE command will cause the textarea element to be updated and
trigger the input event which causes the "modified" class to be added
to the element, so that the system preference can be saved.
__TEST PLAN__
_Before applying_
0. Change "UseWYSIWYGinSystemPreferences" to "Show"
1. Change "opaccredits" to "123a"
2. Click "Save all OPAC preferences"
3. Reload the page
4. Change "opaccredits" to "123"
5. Change "opaccredits" to "123a"
6. Click "Save all OPAC preferences"
7. Reload the page
8. Note that "opaccredits" says "123"
_Apply the patch_
_After applying_
1. Change "opaccredits" to "123a"
2. Change "opaccredits" to "123"
3. Click "Save all OPAC preferences"
4. Reload the page
5. Note that "opaccredits" says "123" (and not "123a")
6. Change "opaccredits" to "1234"
7. Click "Save all OPAC preferences"
8. Reload the page
9. Note that "opaccredits" says "1234"
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Having to write [% KOHA_VERSION %] for each url is bad because:
- It's easily forgettable when adding new <script> or <link>
- It prevents grep'ing for the full filename
- It violates the DRY principle
- If at some point we want to change the "force js and css reload"
mechanism, it will be tedious
This patch:
- adds a Template::Toolkit plugin that generates <script> and
<link> tags for JS and CSS files, and inserts automatically the Koha
version in the filename
- use the new plugin to remove all occurences of [% KOHA_VERSION %]
- remove the code that was adding KOHA_VERSION as a template variable
Test plan:
1. Apply patch
2. Go to several different pages in Koha (opac and intranet) while
checking your browser's dev tools (there should be no 404 for JS and
CSS files, and the Koha version should appear in filenames) and the
server logs (there should be no "File not found")
3. `git grep KOHA_VERSION` should return nothing
4. prove t/db_dependent/Koha/Template/Plugin/Asset.t
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Changes made by bug 12904 appear to have affected TinyMCE.
Test plan:
1) Edit a library, note the OPAC info editor is missing
2) Apply this patch
3) Reload the page
4) The editor is back!
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The staff client CSS is not language-specific, so it can be moved out of
the en/ directory and thus not be duplicated for every translation.
In order to be able to have a generic path to the YUI CSS files, the YUI
directory is moved by this patch to the staff client's lib/ directory.
To test, apply the patch and visit various pages in the staff client.
Look in particular at pages which include more than the standard CSS.
For example:
- The staff client login page.
- The staff client home page.
- Patron -> Set permissions.
- The advanced cataloging editor.
- Acquisitions -> Vendor -> Basket groups.
- Tools -> News -> Edit news.
- Administration -> System preferences.
Revised: I intended for this to be built on top of Bug 15883. Now it is.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of 15883
Works as described, all pages on test plan
No Errors
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds the ability to use a WYSIWYG editor for system preferences.
The key files that I touch are:
1) admin/systempreferences.pl
2) koha-tmpl/intranet-tmpl/prog/en/modules/admin/preferences.tt
3) koha-tmpl/intranet-tmpl/prog/en/modules/admin/systempreferences.tt
I also add:
4) koha-tmpl/intranet-tmpl/prog/en/includes/wysiwyg-systempreferences.inc
and
5) koha-tmpl/intranet-tmpl/lib/tiny_mce/plugins/advimage
This plugin is part of the TinyMCE distribution. It used to be in Koha, but
then someone removed it. It's useful for preferences like "opacheader" though.
*If you're using anything except IE, this should work super well. If
you're using IE, it'll probably only work for keyboard input and dragging
text within the editor box but not from outside of it. IE has worse
security, so you can probably paste using the context menu paste.
*While I think a WYSIWYG editor can be useful, there might be times
where the content is displayed differently than it is in the editor
because of higher level CSS and Javascript.
Signed-off-by: Martin Persson <xarragon@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
