Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch makes 2 changes:
1 - Global datepicker defaulted to c-100:c+10
2 - Dateofbirth datepicker defaulted to c-100:c
To test:
1 - Open some date pickers (patron entry, subscriptions, anywhere really)
- Make sure to check some dateofbirth datepickers
2 - Note that default is 10 years in either direction, updated when you
select
3 - Apply patch
4 - Note we now get -100 years / +10 years from current selection
5 - Now find a dateofbirth datepicker and note default is -100:+0
6 - Sign off
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Tested 3 patches together on current master
- Dropped database
- Recreated database
- Went through installer
- Language en, Marc21
- Installed mandatory data only
- Went through Onboarding tool
- After finishing, logged in as superlibrarian
that was created by onboarding tool
Everything worked fine.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Iso dates are yyyy-mm-dd, the is_valid JS function
expects \d{2}-\d{2}-\d{4} when it should be \d{4}-\d{2}-\d{2}
Test plan:
Switch DateFormat to iso
Set a due date using the datepicker
=> Should work as expected
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
01/01/01984 should not be considered as a valid date.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
If a date does not contain leading zeros for day and month, the date
will be refused.
parseDate function considers 1/1/1990 as a valid date, but our perl code
does not. We must refuse it.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Before this patch, the user was still allowed to enter a valid date.
Now, if the date is not valid, the input is emptied.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The date format is now displayed on the warning popup.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
In order to remove accessibility issues due to the readonly attributes
on date inputs, this patch will remove them and introduce a javascript
validation on them.
This patch is not perfect for some reason:
I didn't manage to force the user to select a valid date. One solution
would be to reopen the datepicker plugin until a valid date is inserted.
But it could be annoying for users (and for me: I did not manage to
implement this solution).
You will note that input is emptied if the date is not valid. This is a
quick and efficient solution to prevent submitting invalid date and make
Koha explodes. A proper solution would be to implement the check server
side send a friendly message to the user.
Test plan:
For all inputs, try an invalid and a valid date.
1/ Debar a patron
2/ On the checkout tables (circulation and moremember), add a renewal
due date (at the bottom of the tables)
3/ On the checkout page, specify a due date
4/ On the return page, specify a return date
5/ On the invoice page (acquisition module), enter a shipment and
billing date
6/ On the invoice search page (invoices.pl) use filters shipment and
billing dates
7/ On the offline circ page, specify a due date
8/ On the edit patron page (memberentry), add a debarment
9/ On the reserve page (reserve/request.pl), use the date inputs to
suspend until a defined date
10/ Edit patrons in a batch (tools/modborrowers.pl) and use the
registration and expiry date inputs
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch is to display corrextly the new dmydot date format e.g. after
using the datepicker or in messages for the user, in following files:
- koha-tmpl/intranet-tmpl/prog/en/includes/calendar.inc
- koha-tmpl/intranet-tmpl/prog/en/includes/date-format.inc
- koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc
- koha-tmpl/intranet-tmpl/prog/en/modules/tools/holidays.tt
- koha-tmpl/opac-tmpl/bootstrap/en/includes/calendar.inc
- tools/holidays.pl
To test:
- Apply patch
- Make sure that you have syspref dateformat set to dmydot
- Use datepicker in OPAC (modify birth date), verify that after
choosing a date, it is displayed correctly in the datepicker
- Use datepicker at several places in OPAC, verify that after choosing
a date the date displays properly in datepicker and that the dater format
is properly indicated (e.g. near birth date or near "Specify due date").
- Verify that datepicker works well with hoiday editing and that "From date:"
displays properly
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
- new TT plugin for Borrowers, that at present supplies
a method for determining if the patron is restricted
- setting the default value of SpecifyReturnDate to false
during upgrade to avoid an unwelcome surprise
- validate the return date on the client side before
allowing the form to be submitted.
Signed-off-by: Petter Goksoyr Asen <boutrosboutrosboutros@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
- the dateformat value is send to all templates (from
C4::Auth::get_template_and_user)
- remove all assignment of dateformat in all .pl files
- Remove "all" occurrences (those I found!) of dateformat_*
From now the only way to get the date format is a string comparaison
(dateformat == "metric")
Checked with the command:
git grep "\(dateformat_us\|dateformat_metric\|dateformat_iso\)" | grep
-v translator
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Tested all the datepickers I could find, looks good.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
I tested most scripts affected by this patch and visually verified
all changes. Functionality is unaffected.
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
When I replaced the old calendar widget with the jQueryUI version
we lost a JavaScript function which is required by a couple of
pages: Date_from_syspref. This patch adds the function back
to the calendar include and corrects variables in the two
affected templates to make it work again.
To test:
- create a new contract. Submitting should work properly and
without JavaScript errors.
- Open the serials claims page (serials/claims.pl) and filter
the results by date. Submitting the filter form should
work properly and without JavaScript errors.
Signed-off-by: Nicole C. Engard <nengard@bywatersolutions.com>
Both tests passed.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
All instances of the old DynArch calendar have been replaced with
jQueryUI versions and the old library files have been removed.
calendar.inc has been modified to include jQueryUI localization
strings and global configuration options. Just add a "datepicker"
class to an input field to trigger a datepicker prompt.
If you would like two fields in one from to limit each other (one
is date from, one is date to), add these classes to each:
"datepickerfrom" and "datepickerto." This will prevent an invalid
entry, e.g. a date in the latter which falls before the former.
jQueryUI is now upgraded to the latest verision, 1.8.21.
Edit: Now with proper translatability, date formatting, first day
of the week handling, and RTL support.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Ian Walls <koha.sekjal@gmail.com>
QA Comment: rebased on current master; minor merge conflicts with other patches pushed
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This patch copies the calendar's language strings from a stand-
alone javascript file into calendar.inc where they can be
translated along with other strings.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This is likely the durable fix to bridge the gap between syspref on the server
and client side validation scripts. It may be useful to separate Date_from_syspref
from the calendar js, but at this time their applicability is 1-to-1.
Note also js debug variable and CGI param('debug') responsiveness.
Signed-off-by: Chris Cormack <crc@liblime.com>
Signed-off-by: Joshua Ferraro <jmf@liblime.com>
Output.pm: sanatizing variable names
ran perl -pi~ -e 's/\/includes\/calendar\//\/lib\/calendar\//' * in every staff template dir
Signed-off-by: Chris Cormack <crc@liblime.com>
cvs -z3 -d:ext:kados@cvs.savannah.nongnu.org:/sources/koha co -P koha
find koha.precrash -type d -name "CVS" -exec rm -v {} \;
cp -r koha.precrash/* koha/
cd koha/
cvs commit
This should in theory put us right back where we were before the crash
