Commit graph

10 commits

Author SHA1 Message Date
5825026448 Bug 21526: uri escape TT variables when used in 'a href'
This patch has been generated with the script provided on bug 21576.
It only affects variable used in the href attribute of a link *when*
href it the first attribute of the node (grep "a href")

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-10-26 17:09:57 +00:00
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
a8942c2884 Revert bug 13618 - "Prevent XSS in the Staff Client and the OPAC" due to performance issues
Revert "DBRev to make notes of the XSS patches and the new important dependency."

This reverts commit e140603a59.

Revert "Bug 13618: Specific for branches.opac_info"

This reverts commit 06e4a50f00.

Revert "Bug 13618: (follow-up) Specific for other prefs"

This reverts commit d6475a111f.

Revert "Bug 13618: Fix for debarredcomment and patron messages"

This reverts commit dd98c9df92.

Revert "Bug 13618: Do not display html tags in patron's notices"

This reverts commit a065b243fe.

Revert "Bug 13618: Do not display &nbsp; and html tags in item fields content"

This reverts commit baeeaffbf8.

Revert "Bug 13618: Fix for system preference description"

This reverts commit a967a09261.

Revert "Bug 13618: Remove html filters for newly pushed code"

This reverts commit 0e98662b10.

Revert "Bug 13618: (follow-up) add missing lines for opac-shelves"

This reverts commit fc2fb605e5.

Revert "Bug 13618: (follow-up) Specific for ColumnsSettings"

This reverts commit bc308fdd9c.

Revert "Bug 13618: Fix for edit biblios and items"

This reverts commit 811c4e8402.

Revert "Bug 13618: followup to remove tabs"

This reverts commit ca8e8c397c.

Revert "Bug 13618: Fix last occurrences recently introduced to master"

This reverts commit bb417b256b.

Revert "Bug 13618: Fix for news"

This reverts commit ae5b98020a.

Revert "Bug 13618: Fix escape on sending baskets or shelves by email"

This reverts commit a7731ffe25.

Revert "Bug 13618: Specific for XSLTBloc"

This reverts commit 11fa38dc29.

Revert "Bug 13618: Specific for Salutation on editing a patron"

This reverts commit 36c07ad6d3.

Revert "Bug 13618: Specific for other prefs"

This reverts commit e6ea281a3b.

Revert "Bug 13618 - memberentrygen.tt errors Not a GLOB reference"

This reverts commit 7824874557.

Revert "Bug 13618: Specific for ColumnsSettings"

This reverts commit 1834da3da3.

Revert "Bug 13618: Specific for IntranetUser* and OPACUser* prefs"

This reverts commit 21ae62b253.

Revert "Bug 13618: Fix error 'Not a GLOB reference'"

This reverts commit 602bdbab4c.

Revert "Bug 13618: Specific for the ISBD view"

This reverts commit d254362435.

Revert "Bug 13618: Specific for pagination_bar"

This reverts commit 8837a8ae68.

Revert "Bug 13618: Specific places where we don't need to escape variables - intra"

This reverts commit 00eff140b3.

Revert "Bug 13618: Remove html filters at the intranet"

This reverts commit 7db851ff03.

Revert "Bug 13618: Specific places where we don't need to escape variables"

This reverts commit 49a3738b8d.

Revert "Bug 13618: Remove html filters at the OPAC"

This reverts commit cedaa0e23e.

Revert "Bug 13618: Use Template::Stash::AutoEscaping to use the html filter"

This reverts commit 01b38d3b13.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-11 19:39:53 +00:00
Julian Maurice
5ef5fb5617 Bug 15358: Fix authorities merge
Bug 8064 (Merge several biblio records) change some code used in both
biblios and authorities merge tool without updating the authorities
merge tool.
This patch fixes that.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-02-03 23:03:33 +00:00
Jonathan Druart
7db851ff03 Bug 13618: Remove html filters at the intranet
Signed-off-by: Signed-off-by: Joonas Kylmälä <j.kylmala@gmail.com>

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
2016-01-29 17:54:12 +00:00
Julian Maurice
44c4b9310d Bug 8064: Change the way target record is built.
Instead of copying/removing a piece of DOM in target record each time a
checkbox is checked/unchecked, the target record is *entirely* rebuilt
each time a checkbox is checked/unchecked.
This is slower but allow for a more consistent and less error-prone
behaviour.

This patch also fix the mandatory check for subfields

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-11-09 15:08:57 -03:00
Julian Maurice
6143a2bf44 Bug 8064: Merge several biblios
This patch improves the existing merging tool by adding possibility to
merge more than 2 biblios.
There is no functional changes:
  - Add some biblios to a list
  - In the list check some biblios and click on 'Merge selected records'
  - Choose the biblio which will be kept, all others will be deleted
  - On the next page you have all biblios you chose in tabs (left side
    of the screen) and the preview of result (right side)
  - Pick some fields or subfields from records that will be deleted or
    delete some fields from reference record.
  - Click on 'Merge', if there is no errors you are redirected to the
    biblio view.

Added checks for non-repeatable subfields
Added checks for mandatory fields and subfields before submitting the
form.
Added a final report which display deleted records (see syspref
MergeReportFields)

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-11-09 15:08:57 -03:00
Fridolyn SOMERS
0ee3a414e8 Bug 10650 - export merge-record.inc javascript into a file
Bug 9755 added a refactoring of records merge adding the include
merge-record.inc. This include contains a block "mergejs" containing all
JavaScript code that was in merge.tt.
This patch exports this code into a js file.
Translatable strings contained in this file are in
merge-record-strings.inc.

Test plan :
- Put two records is a list
- Go to this list and check the two records
- Click on "Merge selected"
- Click on next
- Go to second source record
- Click on a repeatable field
=> The field is added to destination record
- Click on a subfield of a field existing in destination record
=> The subfield is added to destination record
- Click on a non repeatable field existing in destination record
=> You get an alert and field is not added
- Click on a subfield of a field not existing in destination record
=> You get an alert and subfield is not added
- Click on Merge
=> Records are merged

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes tests and test plan, no regressions found.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-09-16 16:17:34 +00:00
Jared Camins-Esakov
4712fc66f0 Bug 9755 QA follow-up: fix template compliance
Fix the following test failure:
* koha-tmpl/intranet-tmpl/prog/en/includes/merge-record.inc                FAIL
    forbidden patterns          OK
    tt_valid                    FAIL
            lines 10, 24
    valid_template              OK

Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes all tests and QA script.
Found a pre-existing problem with non-repeating subfields
that I noted on the bug report.
All other tests were ok and merging records worked nicely.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-07-23 23:10:48 +00:00
Jared Camins-Esakov
50fb4612ed Bug 9755: Refactor record merge functionality
This patch refactors the merge record interface and code a little bit
in preparation for making it possible to merge authority records.

To test:
1) Apply patch.
2) Try merging two records:
    a) Create a list.
    b) Add two records you would like to (or be willing to) merge
       to said list.
    c) View said list.
    d) Check the checkboxes next to the two records you added.
    e) Click "Merge selected records."
    f) Choose a merge reference.
    g) Choose fields from each record that you want to keep.
    h) Click "Merge."
3) Confirm that your merged record has the fields and subfields you
   wanted.
4) Run the unit tests for the two files that were changed:
    prove t/Koha_Record.t t/db_dependent/Koha_Authority.t
5) Sign off.

Signed-off-by: Mathieu Saby <mathieu.saby@univ-rennes2.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-07-23 23:10:07 +00:00