This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch fixes a bug which was introduced by Bug 19851 ("Improve
responsive layout handling of staff client menu bar."). The changes in
that patch did not take into account the effects it would have on the
language menus in the footer.
This patch adds some additional classes to some menus and adds some CSS
for those classes so that menus are correctly aligned left or right
based on their position on the screen.
To test, apply the patch and clear your cache if necessary. You should
have multiple translations installed and enabled, at least one of which
should have more than one "sub-language" (e.g. en-GB and en-US).
In the staff client, test the appearance of various drop-down menus with
the browser width above and below 800 pixels wide:
- Search and More menus in the header
- User/Library menu in the header
- Language selection in the footer
- Language selection in the header
In all cases, menus should look correct and should not be aligned in
such a way that they disappear off the left or right sides of the
screen.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch replaces Glyphicon markup with Font Awesome markup so that a
check mark appears next to the currently-selected language in the staff
client header's language menu.
Also changed in this patch: Some classes have been removed because they
are not used in staff client CSS.
To test you must have multiple languages installed and enabled in the
staff client.
- Set the StaffLangSelectorMode system preference to "top" or "both top
and footer"
- Confirm that the currently-select language in the langauge menu has a
check mark next to it.
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
This patch adds a language selector menu to the top menu of staff client
similar to the OPAC.
Display of language selectors at top, bottom or both can be configured
with system preference StaffLangSelectorModer. It defaults to bottom.
To test:
- Apply patch
- Udate database
- Restart plack and memchached
- Go to staff client, verify that language selector displays at
the bottom of the page (as before)
- Go to system preferences, verify that there is a new preference
StaffLanguageSelectorMode (name similar to the sypref ror OPAC), and
that it is set to 'footer'
- Change mode for top, both and footer and verify, go to staff client
and verify for each that the language selector displays as appropriate
(Amended for comment #2 2017-06-02 mv)
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>