dcd1f5d48c
Here we go, next step then. As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain <script> tags - Remove them from borrower_debarments.comments (there are allowed here) update borrower_debarments set comment="html tags possible here"; - From the interface hit page and try to catch alert box. If you find one it means you find a possible XSS. To know where it comes from: * note the exact URL where you found it * note the alert box content * Dump your DB and search for the string in the dump to identify its location (for instance table.field) Next: * Ideally we would like to use the raw filter when it is not necessary to HTML escape the variables (in big loop for instance) * Provide a QA script to catch missing filters (we want html, uri, url or raw, certainly others that I am forgetting now) * Replace the html filters with uri when needed (!) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
30 lines
2 KiB
Text
30 lines
2 KiB
Text
[% INCLUDE 'help-top.inc' %]
|
|
|
|
<h2>Welcome to Koha</h2>
|
|
|
|
<p>If this is your first time logging into Koha, you should now go to Koha Administration and set up all system preferences, patron categories, item types and libraries. You should also review the other settings found in Administration.</p>
|
|
|
|
<p>Once you have set up patron categories, you should create a new user in the Patrons module with superlibrarian permissions. Once that user is created, you should log in as that user rather than the root user which is set up as part of installation.</p>
|
|
|
|
<p>Here are some other places to look for more information about how to proceed:</p>
|
|
|
|
<ul>
|
|
<li><a href="http://koha-community.org/documentation/">Read Koha documentation</a></li>
|
|
<li><a href="http://wiki.koha-community.org">Read/Write to the Koha wiki</a></li>
|
|
<li><a href="http://koha-community.org/support/koha-mailing-lists/">Read and contribute to discussions</a></li>
|
|
<li><a href="http://bugs.koha-community.org">Report Koha bugs</a></li>
|
|
<li><a href="http://wiki.koha-community.org/wiki/Version_Control_Using_Git">Submit patches to Koha using git (version control system)</a></li>
|
|
<li><a href="http://koha-community.org/get-involved/irc/">Chat with Koha users and developers</a></li>
|
|
</ul>
|
|
|
|
<h2>Can I edit the online help?</h2>
|
|
|
|
<p>You can edit the online help through the Koha Staff Client by clicking the "Edit Help" button. This feature has been designed so that library workflow and policies can be documented within Koha.</p>
|
|
|
|
<p><strong>IMPORTANT:</strong> Your online help will be overwritten by the new Help when there is an upgrade. If you want to keep a copy of your online help, you should instruct your System Administrator to upgrade the Online Help directory in the Koha file tree.</p>
|
|
|
|
<p>The online help directory is: <pre>[% themelang | html %]/modules/help</pre></p>
|
|
|
|
<p><strong>See the full documentation for Koha in the <a href="http://koha-community.org/manual/[% helpVersion | html %]/en/html/">manual</a> (online).</strong></p>
|
|
|
|
[% INCLUDE 'help-bottom.inc' %]
|