Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/serials/claims.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

326 lines
15 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE AuthorisedValues %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Serials &rsaquo; Claims</title>
[% INCLUDE 'doc-head-close.inc' %]
[% Asset.css("css/datatables.css") | $raw %]
</head>
<body id="ser_claims" class="ser">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'serials-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/serials/serials-home.pl">Serials</a> &rsaquo; Claims</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<h1>Claims</h1>
[% IF error_claim %]
[% IF error_claim == 'no_vendor_email' %]
<div class="dialog alert">This vendor has no email defined for late issues.</div>
[% ELSIF error_claim == 'bad_or_missing_sender' %]
<div class="dialog alert">Bad or missing sender address; check your branch email address or preference KohaAdminEmailAddress.</div>
[% ELSE %]
<div class="dialog alert">[% error_claim | html %]</div>
[% END %]
[% END %]
[% IF info_claim %]
<div class="dialog message">Email has been sent.</div>
[% END %]
[% IF letters %][% UNLESS ( missingissues ) %][% IF ( supplierid ) %] <div class="dialog alert">No missing issues found.</div>[% ELSE %]<div class="dialog message">Please choose a vendor.</div>[% END %][% END %][% END %]
[% IF ( SHOWCONFIRMATION ) %]
<div class="dialog alert">Your notification has been sent.</div>
[% END %]
[% UNLESS letters %]<div class="dialog alert">No claims notice defined. <a href="/cgi-bin/koha/tools/letter.pl">Please define one</a>.</div>[% END %]
<form id="claims" name="claims" action="claims.pl" method="post">
<fieldset>
<label for="supplierid">Vendor: </label>
<select id="supplierid" name="supplierid">
[% FOREACH suploo IN suploop %]
[% IF ( suploo.selected ) %]
<option value="[% suploo.id | html %]" selected="selected" >
[% ELSE %]
<option value="[% suploo.id | html %]">
[% END %]
[% suploo.name | html %]
([% suploo.count | html %])
</option>
[% END %]
</select>
<input type="submit" value="OK" />
</fieldset>
</form>
[% IF ( missingissues ) %]
<h3>Missing issues</h3>
<form action="claims.pl" id="filter_claims_form">
<fieldset class="rows">
<legend>Filters :</legend>
<ol>
<li>
<label for="from">From:</label>
<input type="text" name="begindate" id="from" value="[% begindate | html %]" size="10" maxlength="10" class="datepickerfrom" />
<label for="to" style="float:none;">To:</label>
<input type="text" name="enddate" id="to" value="[% enddate | html %]" size="10" maxlength="10" class="datepickerto" />
<span class="hint">[% INCLUDE 'date-format.inc' %]</span>
<input id="filterByDate" type="button" value="OK" />
<a href="#" id="clearfilter"><i class="fa fa-remove"></i> Clear filter</a>
</li>
</ol>
</fieldset>
</form>
<fieldset>
<form action="claims.pl" method="post" id="claims_form">
<table id="claimst">
<thead>
<tr>
<th><input type="checkbox" id="CheckAll"></th>
<th>Vendor</th>
<th>Library</th>
<th class="anti-the">Title</th>
<th>ISSN</th>
<th>Issue number</th>
<th>Status</th>
<th class="title-string">Since</th>
<th>Claims count</th>
<th class="title-string">Claim date</th>
[% FOR field IN additional_fields_for_subscription %]
<th>[% field.name | html %]</th>
[% END %]
</tr>
</thead>
<tfoot>
<tr>
<td></td>
<td><input type="text" class="filter" data-column_num="1" placeholder="Search vendor" /></td>
<td><input type="text" class="filter" data-column_num="2" placeholder="Search library" /></td>
<td><input type="text" class="filter" data-column_num="3" placeholder="Search title" /></td>
<td><input type="text" class="filter" data-column_num="4" placeholder="Search ISSN" /></td>
<td><input type="text" class="filter" data-column_num="5" placeholder="Search issue number" /></td>
<td><input type="text" class="filter" data-column_num="6" placeholder="Search status" /></td>
<td><input type="text" class="filter" data-column_num="7" placeholder="Search since" /></td>
<td><input type="text" class="filter" data-column_num="8" placeholder="Search claim count" /></td>
<td><input type="text" class="filter" data-column_num="9" placeholder="Search claim date" /></td>
[% FOR field IN additional_fields_for_subscription %]
<td><input type="text" class="filter" data-column_num="[% loop.count + 9 | html %]" placeholder="Search [% field.name | html %]" /></td>
[% END %]
</tr>
</tfoot>
<tbody>[% FOREACH missingissue IN missingissues %]
<tr>
<td>
[% UNLESS missingissue.cannot_claim %]
<input type="checkbox" name="serialid" value="[% missingissue.serialid | html %]" />
[% END %]
</td>
<td>[% missingissue.name | html %]</td>
<td>
<span class="branch-[% missingissue.branchcode | html %]">[% Branches.GetName( missingissue.branchcode ) | html %]</span>
</td>
<td>
<a href="/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=[% missingissue.subscriptionid | html %]">[% missingissue.title | html %]</a>
</td>
<td>[% missingissue.issn | html %]</td>
<td>[% missingissue.serialseq | html %]</td>
<td>
[% IF ( missingissue.status1 ) %]<span class="status-expected">Expected</span>[% END %]
[% IF ( missingissue.status3 ) %]<span class="status-late">Late</span>[% END %]
[% IF ( missingissue.status4 ) %]<span class="status-missing">Missing</span>[% END %]
[% IF ( missingissue.status41 ) %]<span class="status-missing_never_received">Missing (never received)</span>[% END %]
[% IF ( missingissue.status42 ) %]<span class="status-missing_sold_out">Missing (sold out)</span>[% END %]
[% IF ( missingissue.status43 ) %]<span class="status-missing_damaged">Missing (damaged)</span>[% END %]
[% IF ( missingissue.status44 ) %]<span class="status-missing_lost">Missing (lost)</span>[% END %]
[% IF ( missingissue.status7 ) %]<span class="status-claimed">Claimed</span>[% END %]
</td>
<td class="planneddate">
[% IF ( missingissue.planneddate ) %]
<span title="[% missingissue.planneddateISO | html %]">[% missingissue.planneddate | html %]</span>
[% ELSE %]
<span title="0000-00-00"></span>
[% END %]
</td>
<td>[% missingissue.claims_count | html %]</td>
<td>
[% IF ( missingissue.claimdate ) %]
<span title="[% missingissue.claimdateISO | html %]">[% missingissue.claimdate | html %]</span>
[% ELSE %]
<span title="0000-00-00"></span>
[% END %]
</td>
[% FOR field IN additional_fields_for_subscription %]
[% IF field.authorised_value_category %]
<td>[% AuthorisedValues.GetByCode( field.authorised_value_category, missingissue.additional_fields.${field.name} ) | html %]</td>
[% ELSE %]
<td>[% missingissue.additional_fields.${field.name} | html %]</td>
[% END %]
[% END %]
</tr>
[% END %]</tbody>
</table>
[% IF csv_profiles %]
<fieldset class="action">
<label for="csv_code">Select CSV profile:</label>
<select id="csv_profile_for_export">
[% FOR csv IN csv_profiles %]
<option value="[% csv.export_format_id | html %]">[% csv.profile | html %]</option>
[% END %]
</select>
<span class="exportSelected"><a id="ExportSelected" href="/cgi-bin/koha/serials/claims.pl">Download selected claims</a></span>
[% END %]
[% IF letters %]
<fieldset class="action">
<label for="letter_code">Select notice:</label>
<select name="letter_code" id="letter_code">
[% FOREACH letter IN letters %]
<option value="[% letter.code | html %]">[% letter.name | html %]</option>
[% END %]
</select>
<input type="hidden" name="op" value="send_alert" />
<input type="hidden" name="supplierid" value="[% supplierid | html %]" />
<input type="submit" name="submit" class="button" value="Send notification" />
</fieldset>
[% END %]
</form>
</fieldset>
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'serials-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% INCLUDE 'calendar.inc' %]
[% INCLUDE 'datatables.inc' %]
<script type="text/javascript">
var sTable;
$(document).ready(function() {
sTable = $("#claimst").dataTable($.extend(true, {}, dataTablesDefaults, {
"sDom": 't',
"aoColumnDefs": [
{ "aTargets": [ 0 ], "bSortable": false, "bSearchable": false },
{ 'sType': "anti-the", 'aTargets' : [ 'anti-the'] },
{ 'sType': "title-string", 'aTargets' : [ 'title-string'] }
],
"bPaginate": false
}));
sTable.fnAddFilters("filter", "200");
$('#supplierid').change(function() {
$('#claims').submit();
});
// Checkboxes : Select All / None
$("span.checkall").html("<input type=\"checkbox\" name=\"CheckAll\"> "+_("Check All")+"</input>");
$("#CheckAll").click(function() {
$("#claimst tr:visible :checkbox").prop('checked', $("#CheckAll").is(':checked'));
});
// Generates a dynamic link for exporting the selections data as CSV
$("#ExportSelected").click(function() {
// We need to use "input[name=serialid]:checked" instead of "input:checked". Otherwise, the "check all" box will pass the value of "on" as a serialid, which produces a SQL error.
var selected = $("input[name=serialid]:checked");
if (selected.length == 0) {
alert(_("Please select at least one item to export."));
return false;
}
// Building the url from currently checked boxes
var url = '/cgi-bin/koha/serials/lateissues-export.pl?supplierid=&amp;op=claims';
for (var i = 0; i < selected.length; i++) {
url += '&amp;serialid=' + selected[i].value;
}
url += '&amp;csv_profile=' + $("#csv_profile_for_export option:selected").val();
// And redirecting to the CSV page
location.href = url;
return false;
});
$("#filterByDate").on("click",function(e){
e.preventDefault();
filterByDate();
});
$("#clearfilter").on("click",function(e){
e.preventDefault();
$("#from,#to").val("");
$("table#claimst tbody tr").show();
});
$("#claims_form").on("submit",function(){
return checkForm();
});
$("#filter_claims_form").on("submit",function(){
return false;
});
});
// Checks if the form can be sent (at least one checkbox must be checked)
function checkForm() {
if ($("input:checked").length == 0) {
alert(_("Please select at least one issue."));
return false;
}
}
// Filter by date
function filterByDate() {
var beginDate = Date_from_syspref($("#from").val()).getTime();
var endDate = Date_from_syspref($("#to").val()).getTime();
// Checks if the beginning date is valid
if (!parseInt(beginDate)) {
alert(_("The beginning date is missing or invalid."));
return false;
}
// Checks if the ending date is valid
if (!parseInt(endDate)) {
alert(_("The ending date is missing or invalid."));
return false;
}
// Checks if beginning date is before ending date
if (beginDate > endDate) {
// If not, we swap them
var tmpDate = endDate;
endDate = beginDate;
beginDate = tmpDate;
}
// We hide everything
$("table#claimst tbody tr").hide();
// For each date in the table
$(".planneddate").each(function() {
// We make a JS Date Object, according to the locale
var pdate = Date_from_syspref($(this).text()).getTime();
// And checks if the date is between the beginning and ending dates
if (pdate > beginDate &&
pdate < endDate) {
// If so, we can show the row
$(this).parent().show();
}
});
}
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink