Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/tools/csv-profiles.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

316 lines
14 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Tools &rsaquo; CSV export profiles</title>
[% INCLUDE 'doc-head-close.inc' %]
</head>
<body id="tools_csv-profiles" class="tools">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a>
&rsaquo; <a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a>
&rsaquo; CSV export profiles
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% FOR m IN messages %]
<div class="dialog [% m.type | html %]">
[% SWITCH m.code %]
[% CASE 'error_on_update' %]
An error occurred when updating this CSV profile. Perhaps it already exists.
[% CASE 'error_on_insert' %]
An error occurred when adding this CSV profile.
[% CASE 'error_on_delete' %]
An error occurred when deleting this CSV profile. Check the logs.
[% CASE 'success_on_update' %]
CSV profile updated successfully.
[% CASE 'success_on_insert' %]
CSV profile added successfully.
[% CASE 'success_on_delete' %]
CSV profile deleted successfully.
[% CASE 'already_exists' %]
This CSV profile already exists.
[% CASE %]
[% m.code | html %]
[% END %]
</div>
[% END %]
[% BLOCK list_separator_options %]
[% IF selected_separator == ',' %]
<option value="," selected="selected">Comma (,)</option>
[% ELSE %]
<option value=",">Comma (,)</option>
[% END %]
[% IF selected_separator == '|' %]
<option value="|" selected="selected">Pipe (|)</option>
[% ELSE %]
<option value="|">Pipe (|)</option>
[% END %]
[% IF selected_separator == ';' %]
<option value=";" selected="selected">Semi-colon (;)</option>
[% ELSE %]
<option value=";">Semi-colon (;)</option>
[% END %]
[% IF selected_separator == '#' %]
<option value="#" selected="selected">Sharp (#)</option>
[% ELSE %]
<option value="#">Sharp (#)</option>
[% END %]
[% IF selected_separator == ' ' %]
<option value=" " selected="selected">Space ( )</option>
[% ELSE %]
<option value=" ">Space ( )</option>
[% END %]
[% IF selected_separator == '\t' %]
<option value="\t" selected="selected">Tabulation (\t)</option>
[% ELSE %]
<option value="\t">Tabulation (\t)</option>
[% END %]
[% IF selected_separator == '\n' %]
<option value="\n" selected="selected">New line (\n)</option>
[% ELSE %]
<option value="\n">New line (\n)</option>
[% END %]
[% END %]
[% BLOCK type_description %]
[% IF type_code == 'marc' %] MARC
[% ELSIF type_code == 'sql' %] SQL
[% ELSE %] Unknown type
[% END %]
[% END %]
[% BLOCK used_for_description %]
[% IF used_for_code == 'export_records' %] Export records
[% ELSIF used_for_code == 'late_issues' %] Late serial issues claims
[% ELSIF used_for_code == 'export_basket' %] Basket export in acquisition
[% ELSIF used_for_code == 'export_lost_items' %] Export lost items in report
[% ELSE %] Unknown usage
[% END %]
[% END %]
[% IF op == 'add_form' %]
[% IF csv_profile %]
<h1>Modify a CSV profile</h1>
[% ELSE %]
<h1>New CSV profile</h1>
[% END %]
<form action="/cgi-bin/koha/tools/csv-profiles.pl" class="validated" method="post">
<input type="hidden" name="op" value="add_validate" />
<input type="hidden" name="export_format_id" value="[% csv_profile.export_format_id | html %]" />
<fieldset class="rows">
<ol>
[% IF csv_profile %]
<li><span class="label">Profile ID: </span>[% csv_profile.export_format_id | html %]</li>
[% END %]
<li>
<label for="profile" class="required">Profile name: </label>
<input type="text" name="profile" id="profile" value="[% csv_profile.profile | html %]" class="required">
<span class="required">Required</span>
</li>
<li>
<label for="type" class="required">Profile type: </label>
<select id="type" name="type">
[% FOREACH type IN [ 'marc' 'sql'] %]
[% IF csv_profile.type == type %]
<option value="[% type | html %]" selected="selected">[% PROCESS type_description type_code = type %]</option>
[% ELSE %]
<option value="[% type | html %]">[% PROCESS type_description type_code = type %]</option>
[% END %]
[% END %]
</select>
<span class="required">Required</span>
</li>
<li class="sql_specific">
<label for="used_for_sql">Usage: </label>
<select id="used_for_sql" name="used_for_sql">
[% FOREACH used_for IN [ 'late_issues' 'export_basket' 'export_lost_items' ] %]
[% IF csv_profile.used_for == used_for %]
<option value="[% used_for | html %]" selected="selected">[% PROCESS used_for_description used_for_code = used_for %]</option>
[% ELSE %]
<option value="[% used_for | html %]">[% PROCESS used_for_description used_for_code = used_for %]</option>
[% END %]
[% END %]
</select>
</li>
<li class="marc_specific">
<label for="used_for_marc">Usage: </label>
<select id="used_for_marc" name="used_for_marc">
[% FOREACH used_for IN [ 'export_records' ] %]
[% IF csv_profile.used_for == used_for %]
<option value="[% used_for | html %]" selected="selected">[% PROCESS used_for_description used_for_code = used_for %]</option>
[% ELSE %]
<option value="[% used_for | html %]">[% PROCESS used_for_description used_for_code = used_for %]</option>
[% END %]
[% END %]
</select>
</li>
<li>
<label for="description">Profile description: </label>
<textarea cols="50" rows="2" name="description" id="description">[% csv_profile.description | html %]</textarea>
</li>
<li>
<label for="csv_separator">CSV separator: </label>
<select name="csv_separator" id="csv_separator">
[% PROCESS list_separator_options selected_separator=csv_profile.csv_separator || ',' %]
</select>
</li>
<li class="marc_specific">
<label for="field_separator">Field separator: </label>
<select name="field_separator" id="field_separator">
[% PROCESS list_separator_options selected_separator=csv_profile.field_separator || '#' %]
</select>
</li>
<li class="marc_specific"><label for="subfield_separator">Subfield separator: </label>
<select name="subfield_separator" id="subfield_separator">
[% PROCESS list_separator_options selected_separator=csv_profile.subfield_separator || '|'%]
</select>
</li>
<li class="marc_specific"><label for="encoding">Encoding: </label>
<select name="encoding" id="encoding">
[% FOREACH encoding IN encodings %]
[% IF csv_profile.encoding == encoding OR NOT csv_profile AND encoding == 'utf8' %]
<option selected="selected">[% encoding | html %]</option>
[% ELSE %]
<option>[% encoding | html %]</option>
[% END %]
[% END %]
</select>
</li>
<li class="marc_specific">
<label for="marc_content" class="required">Profile MARC fields: </label>
<textarea cols="50" rows="2" name="marc_content" id="marc_content">[% csv_profile.content | html %]</textarea>
<span class="required">Required</span>
<p>You have to define which fields or subfields you want to export, separated by pipes.</p>
<p>You can also use your own headers (instead of the ones from Koha) by prefixing the field number with an header, followed by the equal sign.</p>
<p>Example: Personal name=200|Entry element=210$a|300|009</p>
<p>You can use Template Toolkit tags too. See the help page for more information.</p>
</li>
<li class="sql_specific">
<label for="late_issues_content" class="required">Profile SQL fields: </label>
<textarea cols="50" rows="2" name="sql_content" id="sql_content">[% csv_profile.content | html %]</textarea>
<p>You have to define which fields you want to export, separated by pipes.</p>
<p>You can also use your own headers (instead of the ones from Koha) by prefixing the field name with an header, followed by the equal sign.</p>
<p>Example: Name=subscription.name|Title=subscription.title|Issue number=serial.serialseq</p>
<p>For late issues claims you can use data from following tables: serial, subscription, biblio, biblioitems and aqbookseller.</p>
<p>For basket exports you can use data from following tables: biblio, biblioitems, aqorders, aqbudgets and aqbasket.</p>
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="submit" value="Submit" />
<a class="cancel" href="/cgi-bin/koha/tools/csv-profiles.pl">Cancel</a>
</fieldset>
</form>
[% END %]
[% IF op == 'delete_confirm' %]
<div class="dialog alert">
[% IF csv_profile %]
<h3>Delete CSV Profile "[% csv_profile.profile | html %]?"</h3>
<form action="/cgi-bin/koha/tools/csv-profiles.pl" method="post">
<input type="hidden" name="op" value="delete_confirmed" />
<input type="hidden" name="export_format_id" value="[% csv_profile.export_format_id | html %]" />
<input type="submit" class="approve" value="Yes, delete" />
</form>
<form action="/cgi-bin/koha/tools/csv-profiles.pl" method="get">
<input type="submit" class="deny" value="No, do not Delete" />
</form>
[% ELSE %]
This CSV Profile does not exist.
[% END %]
</div>
[% END %]
[% IF op == 'list' %]
<div id="toolbar" class="btn-toolbar">
<a class="btn btn-default btn-sm" id="newcsvprofile" href="/cgi-bin/koha/tools/csv-profiles.pl?op=add_form"><i class="fa fa-plus"></i> New CSV profile</a>
</div>
<h2>CSV profiles</h2>
[% IF csv_profiles %]
<table id="table_csv_profiles">
<thead>
<th>CSV profile ID</th>
<th>Name</th>
<th>Description</th>
<th>Content</th>
<th>CSV separator</th>
<th>CSV type</th>
<th>Usage</th>
<th>Actions</th>
</thead>
<tbody>
[% FOREACH csv_profile IN csv_profiles %]
<tr>
<td>[% csv_profile.export_format_id | html %]</td>
<td>[% csv_profile.profile | html %]</td>
<td>[% csv_profile.description | html %]</td>
<td>[% csv_profile.content | html %]</td>
<td>[% csv_profile.csv_separator | html %]</td>
<td>[% PROCESS type_description type_code = csv_profile.type %]</td>
<td>[% PROCESS used_for_description used_for_code = csv_profile.used_for %]</td>
<td class="actions">
<a href="/cgi-bin/koha/tools/csv-profiles.pl?op=add_form&amp;export_format_id=[% csv_profile.export_format_id | html %]" class="btn btn-default btn-xs"><i class="fa fa-pencil"></i> Edit</a>
<a href="/cgi-bin/koha/tools/csv-profiles.pl?op=delete_confirm&amp;export_format_id=[% csv_profile.export_format_id | html %]" class="btn btn-default btn-xs"><i class="fa fa-trash"></i> Delete</a>
</td>
</tr>
[% END %]
</tbody>
</table>
[% ELSE %]
There is no CSV profile defined. <a href="/cgi-bin/koha/tools/csv-profiles.pl?op=add_form">Create a new CSV profile</a>.
[% END %]
[% END %]
</div>
</div>
<div class="yui-b noprint">
[% INCLUDE 'tools-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% Asset.js("js/tools-menu.js") | $raw %]
<script type="text/javascript">
function reloadPage(p) {
var id = p.value;
if (id != 0) { document.location = "/cgi-bin/koha/tools/csv-profiles.pl?op=add_form&amp;export_format_id=" + id; }
}
$(document).ready(function() {
$("#type").change(function(){
if ( $(this).find("option:selected").val() == "marc" ) {
$("li.marc_specific").show();
$("#marc_content").attr("required", "required");
$("li.sql_specific").hide();
$("#sql_content").removeAttr("required");
} else {
$("li.marc_specific").hide();
$("#marc_content").removeAttr("required");
$("li.sql_specific").show();
$("#sql_content").attr("required", "required");
}
});
$("#type").change();
});
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink