Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch updates several single-column Serials module templates to
use the Bootstrap grid. In addition to grid changes, some templates have
been modified to include the footer with the correct popup parameter.
- serials\acqui-search.tt - Go to Serials -> New subscription. Click
"Search for a vendor."
- serials\acqui-search-result.tt - Vendor search results
- serials\result.tt - Click "Search for record."
- serials\subscription-bib-search.tt - Catalog search results.
Each of these pages should look correct.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
1) do not apply this patch
2) Have at least one vendor which name does contain javascript, for
example: <i>Vendor 1</i><script>alert('Hi');</script>
3) go to serial module and create new subscription
4) use "Search for vendor"
5) Search for your vendor, when search results table is presented, the
javascript is executed
6) go through subscription creation and save the new subscription
7) On subscription detail page, the javascript is executed as well
8) apply this patch
9) Repeat 3-7, the script is not executed, the input is escaped
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies some staff client serials templates so
that JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of the
modified templates: All button controls, DataTables functionality, tabs,
etc.
- Serials -> New subscription
- Search for a vendor
- "Choose" link and "Cancel" button should work correctly
- Search for record
- "Choose" link and "Cancel" button should word correctly
- Serials -> Add subscription fields
- Datatable, delete confirmation
- Edit
- Form validation (submit both authorised value and MARC field)
- Serials -> Check expiration
- Date picker in search form
- Search
- Renew button triggers popup
- Serials -> Claims -> Search results
- Date picker, datatable, form validation
- Select all/none; Download claims
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
To test:
1) Go to Serials
2) Click New subscription or edit an existing one
3) Click Search for a vendor
4) Make a search that will return no results (i.e. has a typo etc.)
5) Confirm there is an appropriate message
6) Go back and make a search that will return results (i.e. putting in one letter
'a' etc.)
7) Confirm that heading is worded better and search term is displayed
8) Go back and make search without entering any search terms
9) Confirm that heading is worded better, no search term is displayed
Sponsored-by: Catalyst IT
Patch behaves as dexcribed.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes instances of "onclick" from the serials templates for
patron and vendor search.
To test, go to Serials and click "New subscription."
- In the new subscription form, click the "Search for a vendor" link.
- In the popup, search for a vendor. Confirm that clicking "Choose"
selects the correct vendor.
- From the detail page of an existing subscription, click "Create
routing list."
- Search for a patron and test that the "Add" button in search results
works correctly to add patrons to the routing list.
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The "highlight" class on table rows is unnecessary since we have a CSS
rule which defines colors for alternating row colors. This patch removes
use of the "highlight" class from templates and removes the definition
from staff-global.css
To test, view the affected pages and confirm that the change has not
broken anything.
Acquisitions -> Vendor -> View basket
Acquisitions -> Late orders
Acquisitions -> Ordered
Acquisitions -> Vendor -> Receive shipment
Acquisitions -> Spent
Acquisitions -> Vendor details -> Contracts table
Administration -> MARC frameworks (comment removed only)
Administration -> Class sources
Authorities -> Authority search results
Catalog -> Bibliographic detail page -> Items -> View item's checkout
history
Catalog -> subject.tt (is this template used?)
Cataloging -> Cataloging search results
Patrons -> Patron account
Reports -> Patrons who haven't checked out
Reports -> Statistics wizards -> Patrons
Reports -> Top lists -> Most-circulated items
Reports -> Inactive -> Items with no checkouts
Reports -> Reports dictionary
Reports -> Statistics wizards -> Circulation
Reports -> Statistics wizards -> Holds
Holds -> Place a hold -> Existing holds table
Serials -> New subscription -> Search for a vendor -> Search results
Serials -> Check expiration
Serials -> Subscription -> Serial collection
Serials -> Subscription -> Serial collection -> Edit serials
Suggestions
Tags -> View tags -> View titles with a tag
Tools -> Manage staged MARC records -> Batch (I think the affected
section of this template is obsolete)
Tools -> Log viewer -> Log result
Lists -> View lists (May be broken by Bug 15916)
Note that if you search the templates for instances of a <tr> with a
"highlight" class you'll find two instances in slip templates which
refer to a class defined in printreceiptinvoice.css.
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Looks good. Haven't seen any regression.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
When searching for a vendor, if the vendor has accented character in its
name, the vendor's name that's added in the form of subscription-add.pl
is encoded incorrectly.
[2011.06.01] F. Demians. Port it to 3.4
Signed-off-by: Colin Campbell <colin.campbell@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>