Commit graph

7 commits

Author SHA1 Message Date
Jonathan Druart
dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00
Marc Véron
7e39bbc61a Bug 18660: Translatability: Get rid of template directives [%% in translation for patroncards-errors.inc
Translation for koha-tmpl/intranet-tmpl/prog/en/includes/patroncards-errors.inc
contains a lot of (partial) template directives like:
%%]%s %sLayout: [%%

This patch fixes it

To test:
- Verify that code changes make sense
- Apply patch
- Create a translation (cd misc/translator , then: perl translate create aa-AA
- Verify that in po/aa-AA-staff-prog.po contains no fragments like %%] or [%%
  for patroncards-errors.inc
- Try to get an error: Try a link like
  http://[YOUR SERVER]/cgi-bin/koha/patroncards/create-pdf.pl?batch_id=1&template_id=999&layout_id=999&start_card=1
  ...where template_id and layout_id do not exist

(Amended for comment #2 2017-06-05 mv)
(Amended for comment #6 2017-08-02 mv)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-30 16:43:36 -03:00
Aleisha Amohia
2173b780c9 Bug 17181: Check for duplicate image names when uploading image to patron card creator
This patch adds a check for duplicates before uploading the image.

To test:
1) Go to Tools -> Patron card creator -> Manage images
2) If you haven't already, upload an image
3) Try to upload another image with the same image name
4) Notice the first image is replaced with the second image, with no
warning.
5) Apply patch and refresh page
6) Try to upload an image with the same image name again
7) Notice you are now warned about a duplicate image name.
8) Check that uploading an image with a unique name still works.

Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-01-13 12:28:07 +00:00
Aleisha Amohia
ea13ea0083 Bug 17175: Typo in patron card images error message
To test:
1) Go to Tools -> Patron Card Creator -> New Image
2) Click Upload without attaching anything
3) Notice typo
4) Apply patch and refresh page (resend information if prompted)
5) Notice typo fixed

Sponsored-by: Catalyst IT
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-02 15:54:20 +00:00
Marc Véron
b51f2baa7c Bug 14138: Patroncard: Warn user if PDF creation fails
Change patroncards/create-pdf.pl to redirect with an error message
instead of writing an invalid pdf that does not open in pdf viewer.

To test:
- Apply patch

- Test that pdf creator behaves as before (with valid batches and
  patron lists)

- While testing, copy pdf link address from window with title 'Click
  the following link(s) to download...'

- Open another staff client browser tab

- Paste link to browser address field, change batch id rsp. patron
  list id to an invalid value and submit

- The window should redirect to cgi-bin/koha/patroncards/create-pdf.pl
  and display an error message

- Bonus test 1: Create an empty patron list and test patron card
  creation. You should get an error message as appropriate.

- Bonus test 2: Use a link with params like the following:
  ...create-pdf.pl?borrower_number=61&template_id=2&layout_id=1&start_card=1
  Verify that you can create a pdf with a valid borrower_number and that
  you get the error message with an invalid borrower number

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-07-15 15:00:56 +00:00
Galen Charlton
46bbfa12a1 Bug 9924: (follow-up) ensure that correct error message is displayed
(Apparently) unlike HTML::Template::Pro, Template Toolkit doesn't like
template variables that are entirely numeric -- in conditionals, it
consider them integers, most of which are Perl true.

This patch changes this by setting the error variable to the error
value.

To test:

[1] Run the test plan from the previous patch.  In each
    case, verify that the error message is specifically applicable
    to the test.  For example, if you try uplaoading a patron image
    that is larger than 500KB, the error message displayed should
    specifically say so.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Thank you Galen for catching this. Error messages showing up
now are much more specific and according to the error codes given.
I testd uploading a file larger then 500KB and triggered several
error messages giving the error code in the URL:
/cgi-bin/koha/patroncards/manage.pl?card_element=profile&error=201

All tests and QA script pass.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-09-08 19:19:50 +00:00
3d8f462cce Bug 9924 - Simplify and rename patron card creator error message include
The patron card creator error message include uses a non-standard method
for displaying error messages, and is poorly-named.

This patch converts the method of displaying error messages for various
patron card creator options to the standard one ('<div class="dialog
alert">') and renames the include file to make it clear that it relates
only to patron card creator operations.

To test, perform various operations:

- Go to 'manage images' and try to upload a file which exceeds the
  500KBfile size limit
- Go to the edit batch page and manually append an error code to the
  URL:  /cgi-bin/koha/patroncards/edit-batch.pl?op=new&error=403
- Go to one of the manage pages and manually append an error code to the
  URL:
  /cgi-bin/koha/patroncards/manage.pl?card_element=profile&error=201

Correct display of an error message indicates that the include file is
being found.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes test plan, test suite and QA script.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
2013-09-08 19:19:23 +00:00