Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-alert-subscribe.tt
Jonathan Druart f94162564a Bug 18726: Fix XSS at the OPAC - biblionumber 
The biblionumber parameter is sent by the user, we must escape all of
them to avoid XSS.

Fixes: Cross-site scripting OPAC pages

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00

58 lines
3.8 KiB
Text
Raw Blame History

[% USE Koha %]
[% INCLUDE 'doc-head-open.inc' %]
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; [% IF ( typeissue ) %]Subscribe to a subscription alert [% ELSIF ( typeissuecancel ) %] Unsubscribe from a subscription alert [% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %][% END %]
</head>
[% INCLUDE 'bodytag.inc' bodyid='opac-alert-subscribe' %]
[% INCLUDE 'masthead.inc' %]
<div class="main">
<ul class="breadcrumb">
<li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
<li><a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Details for [% bibliotitle %]</a> <span class="divider">&rsaquo;</span></li>
<li><a href="#">[% IF ( typeissue ) %]Subscribe to a subscription alert [% ELSIF ( typeissuecancel ) %] Unsubscribe from a subscription alert [% END %]</a></li>
</ul>
<div class="container-fluid">
<div class="row-fluid">
<div class="span12">
<div id="useralertsubscribe">
[% IF ( typeissue ) %]
<h1>Subscribe to a subscription alert</h1>
<form action="opac-alert-subscribe.pl" method="post">
<p>Do you want to receive an email when a new issue for this subscription arrives?</p>
<h4>[% bibliotitle %]</h4>
[% IF ( notes ) %]<p>[% notes %]</p>[% END %]
<input type="hidden" name="externalid" value="[% externalid %]">
<input type="hidden" name="alerttype" value="[% alerttype %]">
<input type="hidden" name="referer" value="[% referer %]">
<input type="hidden" name="biblionumber" value="[% biblionumber | html %]">
<input type="hidden" name="op" value="alert_confirmed">
<input type="submit" class="btn" value="Yes">
<a class="cancel" href="opac-serial-issues.pl?biblionumber=[% biblionumber | html %]" >No</a>
</form>
[% END %]
[% IF ( typeissuecancel ) %]
<h1>Unsubscribe from a subscription alert</h1>
<form action="opac-alert-subscribe.pl" method="post">
<p>Please confirm that you do not want to receive email when a new issue arrives for this subscription.</p>
<h4>[% bibliotitle %]</h4>
[% IF ( notes ) %]<p>[% notes %]</p>[% END %]
<input type="hidden" name="externalid" value="[% externalid %]">
<input type="hidden" name="alerttype" value="[% alerttype %]">
<input type="hidden" name="referer" value="[% referer %]">
<input type="hidden" name="biblionumber" value="[% biblionumber | html %]">
<input type="hidden" name="op" value="cancel_confirmed">
<input type="submit" value="Yes" class="btn">
<a href="opac-serial-issues.pl?biblionumber=[% biblionumber | html %]" class="cancel">No</a>
</form>
[% END %]
</div> <!-- / #useralertsubscribe -->
</div> <!-- / .span10/12 -->
</div> <!-- / .row-fluid -->
</div> <!-- / .container-fluid -->
</div> <!-- / .main -->
[% INCLUDE 'opac-bottom.inc' %]
[% BLOCK jsinclude %][% END %]
View git blame Copy permalink