Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
We lost the ability to place multiple holds when we are searching for
patrons. The multi_holds parameter is lost and not handled correctly in
the template.
Test plan:
- Make sure you can place multiple holds for a patron you will search for
- Same for simple hold
TODO the multiple holds view should not be displayed if only 1 record
has been selected from the search result.
Signed-off-by: claude brayer <claude.brayer@cea.fr>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch fixes a bug caused by the changes in Bug 19641. JavaScript
embedded in circ-patron-search-results.inc executes before jQuery is
loaded.
This patch adds a separate javascript file which can be included both in
circulation.tt and request.tt since both use the same include.
To test, apply the patch and submit a patron name in the check out form.
On the page of search results, clicking a table row should work the same
as clicking the patron name link.
Perform the same test during the hold process: Locate and place a hold
on a title. In the patron search form, submit a patron name and test the
behavior of the search results screen.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
When searching for a patron from the circulation tab, the results table
shows the date of birth unformatted.
Test plan:
Apply this patch, search for patrons in the circ tab and confirm that
the date of birth are correctly formatted according to the dateformat
syspref
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a new syspef 'DefaultPatronSearchFields' which defines
the fields that should be used when searching for a patron if none are
defined.
To test:
1 - Aply patch, updatedatabase
2 - Ensure patron search has not changed
3 - Add dateofbirth to new pref
4 - Ensure things work wll
5 - Experiment with adding and removing other fields from borrowers
table
6 - prove t/db_dependent/Utils/Datatables_Members.t
Tested together with followup. Works as described.
Signed-off-by: Marc Véron <veron@veron.ch>
Bug 14874 (QA Followup)
Fix atomicupdate file name
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch changes the default sort of patron quick search results from
the circulation header search or when searching for a patron during the
hold process.
To test:
In Circulation:
- Perform a search by name for a patron which will
return multiple search results.
- Confirm that the results are sorted by patron name.
In the catalog:
- Locate and place a hold on a title.
- When prompted to select a patron to place the hold for, perform a
search by name which will return multiple results.
- Confirm that the results are sorted by patron name.
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Test plan:
On circ/circulation-home.pl and reserve/request.pl, search for patrons
The descriptions for the libraries and patron categories should be
displayed.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
On top of Bug 13336
Works as described, now descriptions instead of codes.
No errors
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
https://bugs.koha-community.org/show_bug.cgi?id=16455
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 15793 made a change to an interface which is also found in the place
hold template. This patch creates a new include file to be used by both
circulation.tt and request.tt so that these pages do not diverge.
In the process, this patch removes some markup and JavaScript which was
made obsolete by Bug 15793 and should have been removed.
This patch also revises the sorting of the results table so that the
patron name is sortable (Bug 16334) and the default sort is on card
number (matching 3.20.x and 3.22.x).
To test:
In Circulation:
- Perform a search by name for a patron which will
return multiple search results.
- The table of results which displays should look correct and work
correctly, including DataTables sorting.
- Clicking any table row should forward you to the checkout page for
that patron.
In the catalog:
- Locate and place a hold on a title.
- When prompted to select a patron to place the hold for, perform a
search by name which will return multiple results.
- Confirm that the table of patron results looks correct and works
correctly.
- Clicking any table row should forward you to the place hold page for
that patron and the title you selected.
Revision: Although the table row was clickable, you couldn't
middle-click it to open the link in a new tab. The patron name is now a
real link you can middle-click or right-click. The row is still
clickable as well.
Signed-off-by: Aleisha <aleishaamohia@hotmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>