Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
1 - Apply patch and update dabase
2 - Check that Search the Catalog links throughout the staff interface
have not changed
3 - Set "IntranetCatalogSearchPulldown" to 'Show'
4 - Verify that 'Search the catalog' links through staff client now have
a dropdwon to select search index
I think viewing one file each that includes updated header should be
sufficient, but please check as many as you can:
cgi-bin/koha/admin/aqbudgetperiods.pl
cgi-bin/koha/admin/admin-home.pl
cgi-bin/koha/cataloguing/addbooks.pl
cgi-bin/koha/circ/returns.pl
cgi-bin/koha/circ/circulation-home.pl
cgi-bin/koha/admin/cities.pl
cgi-bin/koha/admin/aqcontract.pl
cgi-bin/koha/admin/currency.pl
cgi-bin/koha/mainpage.pl
cgi-bin/koha/tools/letter.pl
cgi-bin/koha/members/members-home.pl
cgi-bin/koha/admin/categories.pl
cgi-bin/koha/admin/preferences.pl
cgi-bin/koha/admin/printers.pl
cgi-bin/koha/serials/serials-home.pl
cgi-bin/koha/acqui/newordersuggestion.pl
cgi-bin/koha/admin/z3950servers.pl
Sponsored by:
Northeast Kansas Library System (http://nekls.org/)
Signed-off-by: Heather Braum <hbraum@nekls.org>
Signed-off-by: Barton Chittenden <barton@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch removes the use of "onclick" from all header search forms for
the purpose of triggering the "keep_text" function. This behavior is now
handled in the globally-included JS file.
To test, apply the patch and clear your cache if necessary.
- Enter text in any header search form field. Click to each other tab
in the header and confirm that your text is copied to each.
- Test the behavior of the header search form on at least one page where
each is included:
- The staff client home page
- The advanced search page
- The authorities home page
- The administration home page
- The cataloging home page
- The checkin page
- The circulation home page
- The patrons home page
- Acquisitions -> Vendor -> Contracts
- Administration -> Cities
- Administration -> Currencies and exchange rates
- Administration -> Patron categories
- Administration -> Printers (why is this page still around?)
- Administration -> System preferences
- Administration -> Z39.50/SRU servers
- Tools -> Notices & slips
This patch modifies does not fix the existing (unreported) bug which
prevents the keep text function from working in the include file used on
these pages:
- Acquisitions -> Vendor -> Basket -> New order from suggestion
- Administration -> Budgets
- The serials home page
Signed-off-by: Claire Gravely <c.gravely@arts.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
I have only changed this in the includes for the tabs at the top.
Dependent on Bug 12051 as that patch adds extra tabs to the top which would need to be changed later
To test:
1) Apply Bug 12051 first, then this patch
2) Ensure that Check Out/Check In/Renew tabs still work as they should
3) Check patch for errors or pages I've missed
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
UPDATE: Added to checkin-search.inc to show up on returns.pl
To test:
1) Apply patch
2) Confirm that there is now a Renew tab on the pages where there is also a Check-in tab only
3) Attempt to renew a book using this, confirm it works as expected
4) Check if I have missed any pages
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
To test:
Apply the patch and see that the text now is there in the search
box when clicking the tabs: check in, check out etc..
(More files changed for persistent text in searchbox)
Sponsored-by: Halland County Library
Signed-off-by: Magnus Enger <magnus@enger.priv.no>
This is something I have wanted quite a few times over the years...
Tested by going to every main area of Koha, entering some random
text into the search box and then clicking on all the available tabs
to check that the entered text is carried over to all the boxes.
There are a couple of places where text is not carried over, but I
guess that might be because one of the boxes is structurally
different to the others. These are:
- "Vendor search" and "Orders search" in Acquisitions
- "Search subscriptions" in Serials
I have not looked at how this is implemented, just that it works as
it should.
Bug 14189 refactor after failed QA.
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Amended patch: replace tabs with spaces
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Current jQuery-driven tabs are done using a very old
version of the tabs plugin. This patch upgrades jQueryUI
to the latest version and adds the tabs widget dependency
to the jqueryui js file and updates the syntax for existing
tabs:
- $("#foo > ul").tabs(); changes to $("#foo").tabs();
- Remove full URL from tab links (use #anchor only).
Pages with "static" tabs (tabs which are built in the
markup rather than generated by the plugin) have been
modified to use their own style. Examples: pay.tt in
the staff client and opac-readingrecord.tt in the OPAC.
Edit: Minor revision to some uncorrected markup
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Following suggestion by Vincent Danjean for Debian
packaging, 0755 -> 0644 for non-executable
files.
Also removed shebang from a few modules in C4.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
This changes some css and markup to make the return box at the top not show when one is on the checkin screen. It also moves the markup for the autocompleting search box to its own file.
Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
This reverts commit 38884abf65.
This commit results in failed searches all over the place, I'm reverting
the revert :-)
Conflicts:
koha-tmpl/intranet-tmpl/prog/fr/includes/circ-search-autocompl.inc
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
The patch default search on kw-wrdl is bugguy, as there ca be 2 idx (maybe an API limit,not sure)
So i've reverted it and added kw,wrdl on every place there is a query (the search boxes)
QUESTION : isn't it possible to have a single query for catalogue, that is TMPL_INCLUDE'd ?
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
See attached file. Thanks.
>From 1c3021f31675193ad2e9b91a95191f9ae0caeff2 Mon Sep 17 00:00:00 2001
From: Frederic Demians <f.demians@tamil.fr>
Date: Wed, 24 Oct 2007 11:50:08 +0200
Subject: [PATCH] Borrower name autocompletion improvement
Autocompletion is selected by syspref directly in circ-search.inc.
This way it could be activated elsewhere just by adding CircAutocompl
param into page using circ-search.inc.
Done for example in circ/branchtransfers.pl. Must be done in all other
circ/*.pl pages.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
