Changed each of the pages in the OPAC to have one <h1> tag showing that describes the page, rather than the <h1> describing the logo.
The hierarchy of heading tags may be broken in many pages, but this will be dealt with in a follow up patch or bug.
To test:
1) Go to the OPAC
2) Apply patch
3) Go to each of the pages and check that they have an obvious and
descriptive heading
4) Ensure that the heading in the page is <h1>
Sponsored by: Catalyst IT
Signed-off-by: Hayley Pelham <hayleypelham@catalyst.net.nz>
Signed-off-by: Henry Bolshaw <bolshawh@parliament.uk>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test tt_valid.t warns that opac-retrieve-file.tt has no id and class
attribute on the body tag.
This patch adds them to clear the warning.
Test plan:
Apply patch and run xt/tt_valid.t.
Works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
This patch makes the following changes to achieve that:
[1] Use Upload.pm in stage-marc-import.pl, upload-cover-image.pl,
offline_circ/process_koc.pl and enqueue_koc.pl.
[2] A new file-upload.js replaces file-upload.inc in the associated template.
We now use ajax to get progress figures instead of launching perl script
upload-file-progress.
The js changes now also allow for aborting a file upload.
[3] Adds a tools/upload script and template. It allows to upload multiple
files at once.
[4] Makes upload-file return error messages in JSON. For a multiple upload,
we could have some files with errors and others without errors.
The upload is now marked as Failed only if there was no upload at all.
[5] The upload plugin is converted to use tools/upload with plugin param.
Deleting an upload is now presented via the search results form.
NOTE: In editing the process_koc.tt I noticed that the form enqueuefile was
hidden and no longer used (with associated code in process_koc.pl). When a
file has been uploaded, I display the form again (with the Apply directly
button). The code still works.
NOTE: We fix an error in upload-file from one of the patches of bug 6874.
The userid of the Koha admin user is passed to haspermission, but we
should pick the userid from the session.
NOTE: Bug 14686 will add a specific permission for tools/upload.pl, and
will add the tools/upload script to the Tools menu.
For now, you need edit_catalogue to start upload.pl and you will
additionally need a permission like upload_local_cover_images
to successfully upload a new file.
Test plan:
[1] Upload a marc file in stage-marc-import. (This is temp storage.)
[2] Check new entry in table uploaded_files. Look for the file in your
temporary directory (/tmp ?), subfolder koha_upload.
Bonus: Remove permissions on this subfolder. Retry, check error and
restore permissions again.
[3] Upload another (larger) file and abort the upload. Check table and
directory again. You should have a partial file, but no record.
[4] Verify that Stage for import still works as expected.
[5] Test Upload local cover image. (Enable OPACLocalCoverImages.) You can
test an individual image or a zip file including images and a file
called datalink.txt (with lines biblionumber,filename).
[6] Test uploading a offline circulation file:
Enable AllowOfflineCirculation, and create a koc file (plain text):
Line1: Version=1.0\tA=1\tB=2
Line2: 2015-08-06 08:00:00 345\treturn\t[barcode]
Note: Replace tabs and barcode. The number of tabs is essential!
Checkout the item with your barcode.
Go to Offline circulation file upload. Upload and click Apply directly.
Checkout again. Upload again, click Add to offline circulation queue.
[7] Upload three files via tools/upload.pl with a category and marked as
public. Check the results in the table.
Verify that you can download the file in OPAC without being logged in.
[8] Pick one new file and one of the files of step 7. Upload them in the
same category. One upload should succeed. Check for reported error.
[9] Connect upload.pl to field 856$u.
Goto Cataloguing editor.
In an empty 856$u, click the tag editor. Upload a file and click Choose.
Save the record. Open the record in the OPAC and click the link.
Copy this link to your clipboard for next step.
[A] Go back to editor. Click the tag editor on the same 856 field.
Choose for Delete.
Open the link in your clipboard again. Error message?
[B] Check the process of upload, search, download and delete of an upload
with some diacritical characters in the filename. (Bonus points for
adding special chars in the category code.)
Note: You can add categories via authorized values, UPLOAD key.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Bug 14321: [QA Follow-up] Perltidy upload.pl
Run perltidy -pro=xt/perltidyrc on tools/upload.pl.
No other changes.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
