Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
In order to simplify and make uniform the code, the controller scripts send
a Koha::Patron object to the templates instead of all attributes of a patron.
That will make the code much more easier to maintain and will be less
error-prone.
The variable "patron" sent to the templates is supposed to represent the
patron the librarian is editing the detail.
In the members module and some scripts of the circulation module, the
patron's detail are sent one by one to the template. That leads to
frustration from developpers (making sure everything is passed from all
scripts) and to regression (we got tone of bugs in the last year because
of this way to do).
With this patch set it will be easy access patron's detail, passing only
1 variable from the controllers.
Test plan:
Play with the patron and circulation module and make sur the detail of
the patron you are editing/seeing info are correctly displayed.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the include files which contain the form fields for
city, state, zipcode, etc. shown on the patron entry screen. The files
are modified so that the city/state/zip <select> preselects a value
based on city, state, and zipcode matching the values in the
corresponding text fields.
To test, confirm that the bug's steps to reproduce are fixed:
- Enter two cities via Administration -> Patrons and circulation
-> Cities and towns:
Springfield, MA 01101
Springfield, VT 05156
- Edit a patron choosing, Springfield VT, and save.
- Edit the patron again and confirm that the correct city is
pre-selected.
- Confirm this result with all three different settings of the
"AddressFormat" system preference.
Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
From C4::Koha::GetAuthorisedValues
# TODO: the "selected" feature should be replaced by a utility function
# somewhere else, it doesn't belong in here. For starters it makes
# caching much more complicated. Or just let the UI logic handle it, it's
# what it's for.
Indeed, it's not a job for a subroutine, the template should take care of that.
Note that a perf gain could be won with this patch \o/
Test plan:
- Edit an itemtype and check the value of the "Search category" dropdown list
- Edit a patron attribute type and check the value of the "Class" dropdown list
- Detail for a catalogue record, the Status column should be correctly
populated if items are damaged and/or lost
- Item details for a catalogue record, the lost, damaged and withdrawn
value should be correctly displayed
- Edit a patron, the "street type" should be correctly selected
- Create a patron attribute type linked to an authorised value list.
- Edit a patron, set a value for this attribute, edit it again. The
correct value should be selected.
- Search for subscriptions. The 'Location' dropdown list should behave
correctly (select the entry you have choosen before, etc.)
- Edit a subscription, the location dropdown list should select the
correct value.
- Edit and view a suggestion with a 'reason for suggestion' set (you
should have at least 1 OPAC_SUG AV defined)
Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
C4::Members::getidcity and C4::Members::GetCities simply retrieved
cities info from the cities table.
The job done in members/memberentry.pl looked really weird and complicated.
Either I have missed something, or this patch can simplify it.
The expected behavior is:
1. Create a new patron => No city selected
2. Edit an existing patron => The borrowers.city value is selected
3. Add a guarantee => The borrowers.city of the guarantor is selected
4. Edit a guarantee => The borrowers.city of the guarantee is selected
Test plan:
Confirm that the expected behaviors are the ones before and after this patch.
Signed-off-by: Natasha <tasham_8@hotmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan Gallagher brendan@bywatersolutions.com
This patch fixes a translatability issue due to <trong> tags.
To verify:
- Make sure that you have some entries in 'Cities and Towns'
( Home > Administration > Cities )
- Edit the main address of a patron's details
- Locate field "City", at the right you have the text 'or choose'
followed by a drop-down ('choose' is bold)
- change language e.g. to German, the text reads 'or auswählen'
(instead of 'oder auswählen')
- This is due to the <strong> tags around 'choose'
To test:
- Apply patch
- Verify that the <strong> tags around 'choose' are removed in:
koha-tmpl/intranet-tmpl/prog/en/includes/member-main-address-style-de.inc
koha-tmpl/intranet-tmpl/prog/en/includes/member-main-address-style-us.inc
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Obvious issue/solution
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
To test:
1) Login to OPAC --> You personal details.
2) Ensure it says 'ZIP/Postal Code' under Main Address, Alternate Address and Alternate Contact
3) Login to Staff interface --> Go to a member's page (ie koha/members/memberentry.pl) --> Details.
4) Ensure it says 'ZIP/Postal Code' under Alternate address and Alternative contact
5) Click Edit
6) Ensure it says 'ZIP/Postal Code' under Main Address, Alternate Address and Alternate Contact
Signed-off-by: Barry Cannon <bc@interleaf.ie>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
NOTE: Tested together with second patch.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch extracts the address blocks in memberentrygen.tt to include files.
To test: The overall functionality should remain the same with this patch.
In further steps, more country- or region-dependent includes could be added, along with functionality to select them using a system preference.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>