Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt
Amit Gupta 0cf9eb0cfb Bug 19052 - XSS Flaws in - Invoice search page 
1. Hit /cgi-bin/koha/acqui/invoices.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Invoiceno,
   ISBN/EAN/ISSN, Title, Author, Publihser, Publication year search box.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00

366 lines
18 KiB
Text
Raw Blame History

[% USE KohaDates %]
[% USE Branches %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Acquisitions &rsaquo; Invoices</title>
<link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/css/datatables.css" />
[% INCLUDE 'doc-head-close.inc' %]
[% INCLUDE 'datatables.inc' %]
[% INCLUDE 'calendar.inc' %]
<script type="text/javascript">
//<![CDATA[
$(document).ready(function() {
var resultst = $("#resultst").dataTable($.extend(true, {}, dataTablesDefaults, {
bPaginate: false,
aoColumnDefs: [
{ "bSortable": false, "aTargets": [1, -1] },
{ "bVisible": false, "aTargets": [0] },
{ "sType": "title-string", "aTargets" : [ "title-string" ] }
]
}));
$("#show_only_subscription").prop("checked", false);
$("#show_only_subscription").click(function(){
if ( $(this).prop("checked") ) {
resultst.fnFilter( "1", 0, true );
} else {
resultst.fnFilter( '', 0 );
}
});
$('#merge').click(function (ev) {
var booksellerid;
var mismatch;
var invoices = [ ];
if ($('.select-invoice:checked').size() < 2) {
alert(_("You must select at least two invoices to merge."));
return false;
}
$('.select-invoice:checked').each(function () {
var row = $(this).parents('tr');
booksellerid = booksellerid || $(row).attr('data-booksellerid');
if (booksellerid !== $(row).attr('data-booksellerid')) {
mismatch = true;
}
invoices.push({ 'invoiceid': $(row).attr('data-invoiceid'),
'invoicenumber': $(row).find('td:nth-child(2) a').text(),
'shipmentdate': $(row).attr('data-shipmentdate'),
'billingdate': $(row).attr('data-billingdate'),
'shipmentcost': $(row).attr('data-shipmentcost'),
'shipment_budgetid': $(row).attr('data-shipment_budgetid'),
'closedate': $(row).attr('data-closedate'), });
$('#merge_invoice_form').append('<input type="hidden" name="merge" value="' + $(row).attr('data-invoiceid') + '" />');
});
if (mismatch) {
alert(_("All invoices for merging must be from the same vendor"));
} else {
$('#merge_table tbody').empty();
$.each(invoices, function (idx, invoice) {
var row = $('<tr data-invoiceid="' + invoice.invoiceid + '"><td>' + invoice.invoicenumber + '</td><td>' + invoice.shipmentdate + '</td><td>' + invoice.billingdate + '</td><td>' + invoice.shipmentcost + '</td></tr>');
$(row).appendTo('#merge_table tbody');
$(row).click(function () {
$('#merge_table tbody tr').removeClass('active');
$(this).addClass('active');
$('#merge_invoicenumber').text(invoice.invoicenumber);
$.each(['invoiceid', 'shipmentdate', 'billingdate', 'shipmentcost', 'shipment_budgetid'], function (idx, prop) {
$('#merge_' + prop).val(invoice[prop]);
});
if (invoice.closedate) {
$('#merge_status').text(_("Closed on %s").format(invoice.closedate));
} else {
$('#merge_status').text(_("Open"));
}
});
});
$('#merge_table tbody tr:first').click();
$('#merge_invoices').show();
}
});
});
//]]>
</script>
</head>
<body id="acq_invoices" class="acq">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'acquisitions-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; Invoices</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<h1>Invoices</h1>
[% IF ( do_search ) %]
[% IF invoices %]
<label for="show_only_subscription">
<input type="checkbox" style="vertical-align: middle;" id="show_only_subscription" />
Show only subscriptions
</label>
<table id="resultst">
<thead>
<tr>
<th>&nbsp;</th>
<th>&nbsp;</th>
<th>Invoice no.</th>
<th>Vendor</th>
<th class="title-string">Shipment date</th>
<th class="title-string">Billing date</th>
<th>Received biblios</th>
<th>Received items</th>
<th>Status</th>
<th>&nbsp;</th>
</tr>
</thead>
<tbody>
[% FOREACH invoice IN invoices %]
<tr data-invoiceid="[% invoice.invoiceid %]" data-booksellerid="[% invoice.booksellerid %]" data-shipmentdate="[% invoice.shipmentdate | $KohaDates %]" data-billingdate="[% invoice.billingdate | $KohaDates %]" data-shipmentcost="[% invoice.shipmentcost %]" data-shipment_budgetid="[% invoice.shipmentcost_budgetid %]" data-closedate="[% invoice.closedate | $KohaDates %]">
<td>[% invoice.is_linked_to_subscriptions %]</td>
<td><input type="checkbox" class="select-invoice" value="[% invoice.invoiceid %]" /></td>
<td><a href="/cgi-bin/koha/acqui/invoice.pl?invoiceid=[% invoice.invoiceid %]">[% invoice.invoicenumber %]</a></td>
<td><a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% invoice.booksellerid %]">[% invoice.suppliername %]</a></td>
<td>
[% IF invoice.shipmentdate %]
<span title="[% invoice.shipmentdate %]">[% invoice.shipmentdate | $KohaDates %]</span>
[% ELSE %]
<span title="0000-00-00"></span>
[% END %]
</td>
<td>
[% IF invoice.billingdate %]
<span title="[% invoice.billingdate %]">[% invoice.billingdate | $KohaDates %]</span>
[% ELSE %]
<span title="0000-00-00"></span>
[% END %]
</td>
<td>[% invoice.receivedbiblios %]</td>
<td>[% invoice.receiveditems %]</td>
<td>
[% IF invoice.closedate %]
Closed on [% invoice.closedate | $KohaDates %]
[% ELSE %]
Open
[% END %]
</td>
<td>
<div class="dropdown dropup">
<a class="btn btn-default btn-xs dropdown-toggle" id="invoiceactions[% invoice.invoiceid %]" role="button" data-toggle="dropdown" href="#">
Actions <b class="caret"></b>
</a>
<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="invoiceactions[% invoice.invoiceid %]">
<li><a href="/cgi-bin/koha/acqui/invoice.pl?invoiceid=[% invoice.invoiceid %]"><i class="fa fa-search"></i> Details</a></li>
[% IF invoice.closedate %]
<li><a href="invoice.pl?op=reopen&amp;invoiceid=[% invoice.invoiceid %]&amp;referer=/cgi-bin/koha/acqui/invoices.pl%3Fop=do_search%26invoicenumber=[% invoicenumber %]%26supplier=[% booksellerid %]%26shipmentdatefrom=[% shipmentdatefrom | $KohaDates %]%26shipmentdateto=[% shipmentdateto | $KohaDates %]%26billingdatefrom=[% billingdatefrom | $KohaDates %]%26billingdateto=[% billingdateto | $KohaDates %]%26isbneanissn=[% isbneanissn %]%26title=[% title %]%26author=[% author %]%26publisher=[% publisher %]%26publicationyear=[% publicationyear %]%26branch=[% branch %]"><i class="fa fa-refresh"></i> Reopen</a></li>
[% ELSE %]
<li><a href="invoice.pl?op=close&amp;invoiceid=[% invoice.invoiceid %]&amp;referer=/cgi-bin/koha/acqui/invoices.pl%3Fop=do_search%26invoicenumber=[% invoicenumber %]%26supplier=[% booksellerid %]%26shipmentdatefrom=[% shipmentdatefrom | $KohaDates %]%26shipmentdateto=[% shipmentdateto | $KohaDates %]%26billingdatefrom=[% billingdatefrom | $KohaDates %]%26billingdateto=[% billingdateto | $KohaDates %]%26isbneanissn=[% isbneanissn %]%26title=[% title %]%26author=[% author %]%26publisher=[% publisher %]%26publicationyear=[% publicationyear %]%26branch=[% branch %]"><i class="fa fa-times-circle"></i> Close</a></li>
[% END %]
[% UNLESS invoice.receivedbiblios || invoice.receiveditems %]
<li><a href="invoice.pl?op=delete&amp;invoiceid=[% invoice.invoiceid %]&amp;referer=/cgi-bin/koha/acqui/invoices.pl%3Fop=do_search%26invoicenumber=[% invoicenumber %]%26supplier=[% booksellerid %]%26shipmentdatefrom=[% shipmentdatefrom | $KohaDates %]%26shipmentdateto=[% shipmentdateto | $KohaDates %]%26billingdatefrom=[% billingdatefrom | $KohaDates %]%26billingdateto=[% billingdateto | $KohaDates %]%26isbneanissn=[% isbneanissn %]%26title=[% title %]%26author=[% author %]%26publisher=[% publisher %]%26publicationyear=[% publicationyear %]%26branch=[% branch %]"><i class="fa fa-trash"></i> Delete</a></li>
[% END %]
</ul>
</div>
</td>
</tr>
[% END %]
</tbody>
</table>
<a class="submit" id="merge" href="#merge_invoices">Merge selected invoices</a>
<div id="merge_invoices">
<form id="merge_invoice_form" action="/cgi-bin/koha/acqui/invoice.pl" method="post">
<fieldset class="rows">
<ol>
<li><h2>Merge invoices</h2></li>
<li><table id="merge_table">
<thead><tr><th>Invoice no.</th><th>Shipment date</th><th>Billing date</th><th>Shipment cost</th></tr></thead>
<tbody>
</tbody>
</table></li>
<li><label for="merge_invoicenumber">Invoice number:</label><span id="merge_invoicenumber"></span></li>
<li><label for="merge_shipmentdate">Shipment date:</label>
<input type="text" size="10" id="merge_shipmentdate" name="shipmentdate" value="" class="datepicker" /></li>
<li><label for="merge_billingdate">Billing date:</label>
<input type="text" size="10" id="merge_billingdate" name="billingdate" value="" class="datepicker" /></li>
<li><label for="merge_shipmentcost">Shipment cost:</label>
<input type="text" size="10" id="merge_shipmentcost" name="shipmentcost" value="" /></li>
<li><label for="merge_shipment_budgetid">Fund:</label>
<select id="merge_shipment_budgetid" name="shipment_budget_id">
<option value="">No fund</option>
[% FOREACH budget IN budgets_loop %]
<option value="[% budget.budget_id %]">[% budget.budget_name %]
</option>
[% END %]
</select></li>
<li><span class="label">Status:</span> <span id="merge_status"></span></li>
<li><input type="submit" value="Merge" /></li>
</ol>
<input type="hidden" name="op" value="mod" />
<input type="hidden" id="merge_invoiceid" name="invoiceid" value="" />
</fieldset>
</form>
</div>
[% ELSE %]
<p>Sorry, but there are no results for your search.</p>
<p>Search was:
<ul>
[% IF ( invoicenumber ) %]
<li>Invoice no.: [% invoicenumber |html %]</li>
[% END %]
[% IF booksellerid %]
<li>Vendor: [% suppliername %]</li>
[% END %]
[% IF shipmentdatefrom %]
<li>Shipment date:
[% IF shipmentdateto %]
From [% shipmentdatefrom | $KohaDates %]
To [% shipmentdateto | $KohaDates %]
[% ELSE %]
All since [% shipmentdatefrom | $KohaDates %]
[% END %]
</li>
[% ELSE %]
[% IF shipmentdateto %]
<li>Shipment date:
All until [% shipmentdateto | $KohaDates %]
</li>
[% END %]
[% END %]
[% IF billingdatefrom %]
<li>Billing date:
[% IF billingdateto %]
From [% billingdatefrom | $KohaDates %]
To [% billingdateto | $KohaDates %]
[% ELSE %]
All since [% billingdatefrom | $KohaDates %]
[% END %]
</li>
[% ELSE %]
[% IF billingdateto %]
<li>Billing date:
All until [% billingdateto | $KohaDates %]
</li>
[% END %]
[% END %]
[% IF ( isbneanissn ) %]
<li>ISBN/EAN/ISSN: [% isbneanissn |html %]</li>
[% END %]
[% IF ( title ) %]
<li>Title: [% title |html %]</li>
[% END %]
[% IF ( author ) %]
<li>Author: [% author |html %]</li>
[% END %]
[% IF ( publisher ) %]
<li>Publisher: [% publisher |html %]</li>
[% END %]
[% IF ( publicationyear ) %]
<li>Publication year: [% publicationyear |html %]</li>
[% END %]
[% IF ( branch ) %]
<li>Library: [% Branches.GetName( branch ) %]</li>
[% END %]
</ul>
</p>
[% END %]<!-- invoices -->
[% ELSE %]
<p>Use the search form on the left to find invoices.</p>
[% END %]<!-- do_search -->
</div>
</div>
<div class="yui-b">
<form action="" method="get">
<fieldset class="brief">
<h3>Search filters</h3>
<ol>
<li>
<label for="invoicenumber">Invoice no:</label>
<input type="text" id="invoicenumber" name="invoicenumber" value="[% invoicenumber |html %]" class="focus" />
</li>
<li>
<label for="supplier">Vendor:</label>
<select id="supplier" name="supplierid">
<option value="">All</option>
[% FOREACH supplier IN suppliers_loop %]
[% IF ( supplier.selected ) %]
<option selected="selected" value="[% supplier.booksellerid %]">[% supplier.suppliername %]</option>
[% ELSE %]
<option value="[% supplier.booksellerid %]">[% supplier.suppliername %]</option>
[% END %]
[% END %]
</select>
</li>
<li>
<fieldset class="brief">
<legend>Shipment date</legend>
<ol>
<li>
<label for="shipmentdatefrom">From:</label>
<input type="text" id="shipmentdatefrom" name="shipmentdatefrom" size="10" value="[% shipmentdatefrom | $KohaDates %]" class="datepicker" />
</li>
<li>
<label for="shipmentdateto">To:</label>
<input type="text" id="shipmentdateto" name="shipmentdateto" size="10" value="[% shipmentdateto | $KohaDates %]" class="datepicker" />
</li>
</ol>
</fieldset>
</li>
<li>
<fieldset class="brief">
<legend>Billing date</legend>
<ol>
<li>
<label for="billingdatefrom">From:</label>
<input type="text" id="billingdatefrom" name="billingdatefrom" size="10" value="[% billingdatefrom | $KohaDates %]" class="datepicker" />
</li>
<li>
<label for="billingdateto">To:</label>
<input type="text" id="billingdateto" name="billingdateto" size="10" value="[% billingdateto | $KohaDates %]" class="datepicker" />
</li>
</ol>
</fieldset>
</li>
<li>
<label for="isbneanissn">ISBN / EAN / ISSN:</label>
<input type="text" id="isbneanissn" name="isbneanissn" value="[% isbneanissn |html %]" />
</li>
<li>
<label for="title">Title:</label>
<input type="text" id="title" name="title" value="[% title |html %]" />
</li>
<li>
<label for="author">Author:</label>
<input type="text" id="author" name="author" value="[% author |html %]" />
</li>
<li>
<label for="publisher">Publisher:</label>
<input type="text" id="publisher" name="publisher" value="[% publisher |html %]" />
</li>
<li>
<label for="publicationyear">Publication year:</label>
<input type="text" id="publicationyear" name="publicationyear" value="[% publicationyear |html %]" />
</li>
<li>
<label for="branch">Library:</label>
<select id="branch" name="branch">
<option value="">All</option>
[%# FIXME Should not we filter the libraries %]
[% PROCESS options_for_libraries libraries => Branches.all( selected => branch, unfiltered => 1 ) %]
</select>
</li>
</ol>
<fieldset class="action">
<input type="submit" value="Search" />
</fieldset>
</fieldset>
<input type="hidden" name="op" id="op" value="do_search" />
</form>
[% INCLUDE 'acquisitions-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink