Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.
This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.
To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags
- Remove them from borrower_debarments.comments (there are allowed here)
update borrower_debarments set comment="html tags possible here";
- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)
Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Amended: simplified if-then-else around cur_field.setIndicator[12].
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
TO test:
1 - Have an authority with some indicators
2 - Link a field in rancor to that authority
3 - See that you get some indicators (same in unimarc, diff in marc21)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patchset adds the ability to use the authorities search to select
or clear fields in the advanced editor
To test:
1 - Open a record in the advanced cataloging editor
2 - Press 'Ctrl+L' while in a field that shuold not be linked to
authorities (300 for instance)
3 - Nothing should happen
4 - Try it in a field that should be linked
5 - You should get the authorities pop-up
6 - Values in pop-up should be populated from values in record (as
appropriate for authority type)
7 - Correct authority type should be selected ( PERSO_NAME for 100,
TOPIC_TERM for 650, etc.)
8 - Press 'Clear', field should be blanked
9 - Search again and select an authority
10 - Field should be correctly populated
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
If the indicators are not controlled, blinddetail should not overwrite
what the user already entered. Very strictly seen, we could say that it
is outside the scope. But it is strongly related.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested with 100 and 600 in the cataloging editor.
For 100 the second indicator should not be overwritten. For 600 it should.
Also tested "ind2:" which should blank ind2.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch updates several single-column Authorities module templates to
use the Bootstrap grid.
- authorities-home - The home page of the Authorities module.
- authorities.tt - The authority add/edit page.
- blinddetail-biblio-search.tt - Not really testable -- It's the small
popup window which appears during the process of linking an authority
to a MARC record.
- detail.tt - The authority detail page. Search for an authority record
and click on the "details" link in the search results.
- merge.tt - From a list of authority search results, select "Merge"
from the Actions menu of two authority records. Test both the initial
selection screen and the source/destination merging view.
- searchresultlist.tt - The authority search results page.
Each of these pages should look correct, with a single centered column
with wide margins on either side. At lower browser widths the margins
should disappear.
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the staff client patron lists templates so that
JavaScript is included in the footer instead of the header.
To test, apply the patch and test the JavaScript-driven features of
each modified template.
I've made one change to the JavaScript in addition to moving it: I've
made it so that the blank window which pops up briefly in this process
is 100px x 100px instead of full screen.
- Cataloging -> Add or edit bibliographic record in a framework which
has authorities linked to a tag
-> Click authorities plugin link
-> Create new authority button
-> Autocomplete on text inputs (except "Search all headings")
-> Search
-> Select authority record ("choose")
-> Click authorities plugin link again
-> Clear field
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Select2 (Bug 13501) introduced divs and inputs that broke some assumptions about the expected HTML structure.
This patch checks if input has name attribute, because some inputs in Select2 have not.
To test:
Try to add info from the authorities to field that has subfield with Select2 (subfield with authorised values on Koha 16.11+)
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
With this patch Koha should correctly copy indicators
(and create $2 subfield in MARC 21 if need) from the chosen authority
record to the edited bibliographic record (according to discussion in
bugzilla). UNIMARC and MARC 21 flavors are covered.
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Comment: work as described, testing in comments 9 and 12.
No errors.
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
Passes QA script and tests. Tested functionality repeating
some of the tests noted by Bernardo - checking mostly 1xx, 490,
and 7xx.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Passed-QA-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Do not automatically populate $9 in bibliographic headings when the
$9 is set in the authorized heading field of the authority record.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
This is the first patch for bug 7760 and touches all pages in authorities.
This adds a unique id "auth_<filename>" and a class "auth" to the body tag of
each page in the authorities module.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
A javascript error could occur if the CloneSubfield function failed for
any reason. This would prevent the popup from disappearing.
Example : Importing informations of a UNIF_TITLE authority with multiple
$x subfields in the biblio's 440 field. 440$x isn't repeatable, so an
error occurs when trying to clone it.
http://bugs.koha-community.org/show_bug.cgi?id=6977
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Before this patch, if we tried to import an authority with multiple $x
subfields into a bibliographic record, only the last value get added
to the form.
All repeated values should now be sent to the form.
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
