Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/parcels.tt
Amit Gupta 8534ca2780 Bug 19114 - Stored XSS in parcels.pl 
Test
1. Hit the page /cgi-bin/koha/acqui/parcels.pl?booksellerid=xx
   xx is booksellerid
2. Add a text in the field Vendor invoice that contains java script
3. Save the page.
4. Notice js is execute
5. Apply patch and reload the js is escaped

Fixed XSS for parcels.pl/parcel.pl/orderreceive.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00

228 lines
10 KiB
Text
Raw Blame History

[% USE KohaDates %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Acquisitions &rsaquo; Receive shipment from vendor [% name %]</title>
<link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/css/datatables.css" />
[% INCLUDE 'doc-head-close.inc' %]
[% INCLUDE 'calendar.inc' %]
[% INCLUDE 'datatables.inc' %]
<script type="text/javascript">
//<![CDATA[
$(document).ready(function() {
var parcelst = $("#parcelst").dataTable($.extend(true, {}, dataTablesDefaults, {
"aoColumnDefs": [
{ "sType": "title-string", "aTargets" : [ "title-string" ] }
],
'bPaginate': false,
} ) );
//keep a copy of all budgets before removing the inactives
var budgetId = $("#shipmentcost_budgetid");
var disabledBudgetsCopy = budgetId.html();
$('.b_inactive').remove();
$('#showallfunds').click(function() {
if ($(this).is(":checked")) {
budgetId.html(disabledBudgetsCopy); //Puts back all the funds
}
else {
$('.b_inactive').remove();
}
});
});
//]]>
</script>
</head>
<body id="acq_parcels" class="acq">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'acquisitions-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% name %]</a> &rsaquo; Receive shipment from vendor [% name %]</div>
[% IF ( count ) %]<div id="doc3" class="yui-t2">[% ELSE %]<div id="doc" class="yui-t7">[% END %]
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF ( error_failed_to_create_invoice ) %]
<div id="error" class="dialog alert">
<p>An error has occurred. Invoice cannot be created.</p>
</div>
[% END %]
<h1>Receive shipment from vendor <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% name %]</a></h1>
[% IF duplicate_invoices %]
<div id="parcels_duplicate_invoice" class="dialog alert">
<p>This invoice number has already been used. Would you like to receive on an existing invoice?</p>
<table>
<thead><tr><th>Invoice no.</th><th>Shipment date</th><th></th></tr></thead>
<tbody>
[% FOREACH invoice IN duplicate_invoices %]
<tr>
<td>[% invoice.invoicenumber %]</td>
<td>[% invoice.shipmentdate | $KohaDates %]</td>
<td><a href="/cgi-bin/koha/acqui/parcel.pl?invoiceid=[% invoice.invoiceid %]">Receive</a></td>
</tr>
[% END %]
</tbody>
</table>
<form method="get" action="parcels.pl">
<input type="hidden" name="booksellerid" value="[% booksellerid %]" />
<input type="hidden" name="op" value="confirm" />
<input type="hidden" name="invoice" value="[% invoicenumber %]" />
<input type="hidden" name="shipmentdate" value="[% shipmentdate | $KohaDates %]" />
<input type="hidden" name="shipmentcost" value="[% shipmentcost %]" />
<input type="hidden" name="shipmentcost_budgetid" value="[% shipmentcost_budgetid %]" />
<input type="submit" class="button" value="Create new invoice anyway" />
</form>
</div>
[% END %]
[% IF ( count ) %]
<p> [% count %] shipments</p>
<div id="resultlist">
<!-- Search Results Table -->
<table class="small" id="parcelst">
<thead>
<tr>
<th>Line</th>
<th class="title-string">Date received</th>
<th>Invoice number</th>
<th>Item count</th>
<th>Biblio count</th>
<th>Items expected</th>
</tr>
</thead>
<tbody>
<!-- Actual Search Results -->
[% FOREACH searchresult IN searchresults %]
<tr>
<td>
[% searchresult.number %]
</td>
<td>
<span title="[% searchresult.datereceived %]">[% searchresult.datereceived | $KohaDates %]</span>
</td>
<td>
[% IF ( searchresult.code ) %]
<a href="/cgi-bin/koha/acqui/parcel.pl?invoiceid=[% searchresult.invoiceid %]">[% searchresult.code |html %]</a>
[% ELSE %]
<abbr title="not available">n/a</abbr>
[% END %]
</td>
<td>
[% searchresult.reccount %]
</td>
<td>
[% searchresult.bibcount %]
</td>
<td>
[% searchresult.itemcount %]
</td>
</tr>
[% END %]
</tbody>
</table>
<div id="resultnumber">
<!-- Row of numbers corresponding to search result pages -->
[% IF ( displayprev ) %]
<a href="parcels.pl?booksellerid=[% booksellerid %]&amp;startfrom=[% prevstartfrom %][% IF ( datefrom ) %]&amp;datefrom=[% datefrom %][% END %][% IF ( dateto ) %]&amp;dateto=[% dateto %][% END %][% IF ( code ) %]&amp;filter=[% code %][% END %][% IF ( orderby ) %]&amp;orderby=[% orderby %][% END %][% IF ( resultsperpage ) %]&amp;resultsperpage=[% resultsperpage %][% END %]&amp;type=intra">&lt;&lt; Previous</a>
[% END %]
[% FOREACH number IN numbers %]
[% IF ( number.highlight ) %]
<span class="current">[% number.number %]</span>
[% ELSE %]
<a href="parcels.pl?booksellerid=[% booksellerid %]&amp;startfrom=[% number.startfrom %][% IF ( number.datefrom ) %]&amp;datefrom=[% number.datefrom %][% END %][% IF ( number.dateto ) %]&amp;dateto=[% number.dateto %][% END %][% IF ( number.code ) %]&amp;filter=[% number.code %][% END %][% IF ( number.orderby ) %]&amp;orderby=[% number.orderby %][% END %][% IF ( number.resultsperpage ) %]&amp;resultsperpage=[% number.resultsperpage %][% END %]&amp;type=intra">[% number.number %]</a>
[% END %]
[% END %]
[% IF ( displaynext ) %]
<a href="parcels.pl?booksellerid=[% booksellerid %]&amp;startfrom=[% nextstartfrom %][% IF ( datefrom ) %]&amp;datefrom=[% datefrom %][% END %][% IF ( dateto ) %]&amp;dateto=[% dateto %][% END %][% IF ( code ) %]&amp;filter=[% code %][% END %][% IF ( orderby ) %]&amp;orderby=[% orderby %][% END %][% IF ( resultsperpage ) %]&amp;resultsperpage=[% resultsperpage %][% END %]&amp;type=intra">Next &gt;&gt;</a>
[% END %]
</div>
</div>
[% END %]
<div id="parcels_new_parcel">
<form method="get" action="parcels.pl" class="validated">
<fieldset class="rows">
<legend>Receive a new shipment</legend>
<ol> <li>
<label for="invoice" class="required">Vendor invoice:</label>
<input type="hidden" name="booksellerid" value="[% booksellerid %]" />
<input type="hidden" name="op" value="new" />
<input type="text" size="20" id="invoice" name="invoice" class="focus required" required="required" />
</li>
[% IF ( gst ) %]
<li>
<label for="gst">GST:</label>
<input type="text" size="20" id="gst" name="gst" />
</li>
[% END %]
<!-- // Removing freight input until shipping can be proplerly handled .
<li>
<label for="freight">Shipping:</label>
<input type="text" size="20" id="freight" name="freight" />
</li> -->
<li>
<label for="shipmentdate">Shipment date: </label>
<input type="text" id="shipmentdate" name="shipmentdate" maxlength="10" size="10" value="[% shipmentdate_today | $KohaDates %]" class="datepicker" />
<div class="hint">[% INCLUDE 'date-format.inc' %]</div>
</li>
<li>
<label for="shipmentcost">Shipping cost: </label>
<input type="text" id="shipmentcost" name="shipmentcost" size="10" />
</li>
<li>
<label for="shipmentcost_budgetid">Shipping fund: </label>
<select id="shipmentcost_budgetid" name="shipmentcost_budgetid">
<option value="">No fund</option>
[% FOREACH budget IN budgets %]
[% IF ( budget.b_active ) %]
<option value="[% budget.b_id %]">[% budget.b_txt %]</option>
[% ELSE %]
<option value="[% budget.b_id %]" class="b_inactive">[% budget.b_txt %] (inactive)</option>
[% END %]
[% END %]
</select>
<label for="showallfunds" style="float:none;width:auto;">&nbsp;Show inactive:</label>
<input type="checkbox" id="showallfunds" />
</li>
</ol>
</fieldset>
<fieldset class="action"><input type="submit" class="button" value="Next" /> <a class="cancel" href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">Cancel</a></fieldset>
</form>
</div>
</div>
</div>
<div class="yui-b">
[% IF ( count ) %]<form method="get" action="parcels.pl">
<fieldset class="brief">
<h4>Filter</h4>
<ol>
<li> <input type="hidden" name="booksellerid" value="[% booksellerid %]" /></li>
<li><label for="filter">Invoice number:</label><input type="text" size="20" name="filter" value="[% filter %]" id="filter" /></li>
<li><label for="datefrom">From:</label><input type="text" size="9" id="datefrom" name="datefrom" value="[% datefrom %]" class="datepicker" /><br />
<label for="dateto">To:</label><input type="text" size="9" id="dateto" name="dateto" value="[% dateto %]" class="datepicker" /></li>
<li><label for="orderby">Sort by :</label><select name="orderby" id="orderby">
<option value="invoicenumber">Invoice number</option>
<option value="shipmentdate">Shipment date</option>
<option value="shipmentdate desc">Shipment date reverse</option>
<option value="invoicenumber desc">Invoice number reverse</option>
</select><br />
<label for="resultsperpage">Results per page :</label><select name="resultsperpage" id="resultsperpage">
<option value="20">20</option>
<option value="30">30</option>
<option value="50">50</option>
<option value="100">100</option>
</select></li>
</ol>
<fieldset class="action"><input type="submit" class="button" value="Filter" /> <a href="/cgi-bin/koha/acqui/parcels.pl?booksellerid=[% booksellerid %]">Clear</a></fieldset>
</fieldset>
</form>[% END %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink