This addresses comment #13.
This also applies cleanly.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch set does several things:
- it removes USER_INFO and BORROWER_INFO
These 2 variables contained logged-in patron's info. They must be
accessed from logged_in_user
- Use patron-title.inc for the breadcrumb at the OPAC, for consistencies
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds a new "share" icon to the sprite image used to style
controls in the OPAC. The "share list" links now have a "sharelist"
class which is used to style the links with the new icon.
Also changed: Fixed the page structure markup of opac-shareshelf.tt.
To test you must have the OpacAllowSharingPrivateLists system preference
enabled.
- Log in to the OPAC and go to Lists -> Your lists.
- Create one or more private lists if necessary.
- In the table of your lists there should be a "Share" link with the
new icon.
- View one of these lists and confirm that the "Share" link at the top
of the table of list items.
- Click through to the share list page and confirm that the page looks
correct.
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch is a reimplementation of the original from Indranil Das Gupta
and the QA follow-up from Julian Maurice. Original test plan:
Conformance rules for HTML5 is generating warnings for <script> element
with type="text/javascript" attribute when the OPAC page is checked
with W3C Validator. This patch removes the cause of these warnings.
Test plan
=========
1/ Paste the URL to your OPAC page (if it is hosted) to W3C Validator
and watch about 10+ warnings being generated by the validator.
2/ Apply patch and re-submit the page to the Validator. The warnings
would be gone.
Signed-off-by: Jon Knight <J.P.Knight@lboro.ac.uk>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test
1/ Go to /cgi-bin/koha/opac-shareshelf.pl?op="><script>alert('XSS')</script>&shelfnumber=5
2/ Notice you see a js alert
3/ Apply patch
4/ It is gone
Reported by
Alex Middleton at Dionach
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Test plan:
- Create a list with the name "<script>alert(1)</script>"
- On the shelf list, click on share
=> Without this patch you will see the JS alert
=> With this patch applied you won't see it
Reported by Kaybee at Dionach
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
This subroutine does a lot a processing and should only be called when
necessary.
In the get_template_and_user subroutine (so called from any pages of
Koha), it is call to pass the branchcode, title, firstname, surname and
borrowernumber values for the logged in user.
This subroutine calls GetMemberAccountRecords which retrieve the items
infos for all accountlines entries of the logged in user.
On members/members.pl, let's say you have 74 entries in the accountlines
tables, the page will execute 115 SELECT instead of 35 if you don't have any
accountlines entries.
With this patch, the number of SELECT is always 31.
To test this patch you should have technical skills to know what to do.
Note that USER_INFO was an array of... 1 element. Now it's a hashref.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
See comment 171 and 172 for more details.
This patch mainly fixes typo or silly error in templates.
It also uses the relationships added by previous patch to join the
biblioitems and items tables (changes in opac-shelves.pl and
shelves.pl).
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Bug 14544: Fix redirect on editing a list
If you edit a list from the list view, after saving the form, you are
not redirected to the list view (but on the edit form).
Bug 14544: Cosmetic: › should be a class divider
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
The original concern of bug 14266 was to provide a compatibility for
<IE9.
But actually we don't need to trim the email address template side.
It will even better to trim it in the perl script, so that the email
will be trimed even if JS is disabled.
Test plan:
1/ Share a list and does not provide any email address
2/ Submit
=> The form is not submited, no alert/message is displayed (same as
before this patch).
3/ Share a list and provide an email address with spaces before and
after
4/ Submit
=> You should receive the email
Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Test output compliant with expected test plan outcome.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch replaces trim() with $.trim() which is supported
in versions of IE older than IE9.
Revised test plan
=================
Before applying patch:
0) Use IE 8 or Document Mode 8 in a newer IE using F12 Developer Tools
1) Set OpacAllowSharingPrivateLists to "Allow" in Global System Preferences
2) Create a private list in the OPAC
3) Add a record to the private list
4) Click "Share" or "Share list" on one of the list screens
5) Type in an email address and click "Send"
6) Note the error in the console log
7) The page should submit
Apply the patch:
7) Hold shift + refresh the browser to update any Javascript cache
8) Try to "Share" the list again
9) Note that the form submit after clicking "Send" and
that there are no errors in the console log
http://bugs.koha-community.org/show_bug.cgi?id=14266
Signed-off-by: Indranil Das Gupta <indradg@gmail.com>
Remarks: Works as per revised test plan
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
The email field for sharing a list with another patron is
a bit short.
To test:
- Make sure OpacAllowSharingPrivateLists is activated
- Create a list in OPAC
- Use the "Share list" link to share with another user
- Check the length of the email field and if you like it
better with this patch applied
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adjusts two instances where Koha says that an email has
been sent while it is just enqueued (put in the message queue). The
crontab example still suggests to run process_message_queue once an hour
and the manual even speaks about 1-4 hours.
In the process of selfregistration and sharing a shelf, I have adjusted
the text "has been sent" to "will be sent shortly". This covers imo
the one-hour frequency.
When writing this patch, I have examined all calls of EnqueueLetter;
I only found these two occurrences to be of interest.
Note: I would recommend to increase this frequency in the documentation,
but consider that for now to be outside the scope of this report.
Test plan:
[1] Self-register a new user with verification by email required. Look at
the text when you submit your data.
[2] Share a list with someone else. Look at the text when you submit the
invitation.
Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Works as described, small string change.
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
This patch adds a branch sepecific class to all OPAC pages.
Example:
If not logged in, opac-main.pl displays:
<body ID="opac-main" class="branch-default" >
If logged in at branch FFL, it displays:
<body ID="opac-main" class="branch-FFL" >
If you log in, opac-user.pl should display
<body ID="opac-user" class="branch-FFL scrollto" >
To test:
1)
Apply patch.
2)
Add to syspref OPACUserCSS something highly visible, e.g. for branch FFL:
.branch-FFL {
background-color: yellow;
border: 10px solid red;
}
3)
Go to OPAC and login in with a user with home branch FFL
4)
Verify that colors change as appropriate.
5)
Log out. Verify that colors display as before or as defined in class branch-default in OPACUserCSS
6)
Display patch in patch diff view, verify that ids and classes in body tag are consistent with params bodyid and bodyclass in INCLUDE line
7)
Search for regressions
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
[1] Use loop variable instead of $_ in opac-shareshelf.pl
[2] Adds Cancel button to Invite form (prog and bootstrap) in
opac-shareshelf.tt. Likewise adds Return link under an error
message in opac-shareshelf.tt.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Adds new template opac-shareshelf.tt.
Modifies template opac-shelves.tt: Share button, Remove Share button,
label "Your lists" instead of "Your private lists", list category
Shared.
Test plan:
Verify if the Share a list-features work in bootstrap by:
[1] Switch to bootstrap. Go to Lists.
[2] Share one of your private lists.
[3] Login as another user and accept the invitation.
[4] Remove the share again.
[5] Check if Share and Remove share do not popup for public lists.
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
