dcd1f5d48c
Here we go, next step then. As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain <script> tags - Remove them from borrower_debarments.comments (there are allowed here) update borrower_debarments set comment="html tags possible here"; - From the interface hit page and try to catch alert box. If you find one it means you find a possible XSS. To know where it comes from: * note the exact URL where you found it * note the alert box content * Dump your DB and search for the string in the dump to identify its location (for instance table.field) Next: * Ideally we would like to use the raw filter when it is not necessary to HTML escape the variables (in big loop for instance) * Provide a QA script to catch missing filters (we want html, uri, url or raw, certainly others that I am forgetting now) * Replace the html filters with uri when needed (!) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
110 lines
7.4 KiB
Text
110 lines
7.4 KiB
Text
[% USE Koha %]
|
|
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %][% ELSE %]Koha online[% END %] catalog › Your privacy management</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
[% BLOCK cssinclude %][% END %]
|
|
</head>
|
|
[% INCLUDE 'bodytag.inc' bodyid='opac-privacy' %]
|
|
[% INCLUDE 'masthead.inc' %]
|
|
|
|
<div class="main">
|
|
<ul class="breadcrumb">
|
|
<li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">›</span></li>
|
|
<li><a href="/cgi-bin/koha/opac-user.pl">[% INCLUDE 'patron-title.inc' patron = logged_in_user %]</a> <span class="divider">›</span></li>
|
|
<li><a href="#">Your privacy management</a></li>
|
|
</ul>
|
|
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<div class="span2">
|
|
<div id="navigation">
|
|
[% INCLUDE 'navigation.inc' IsPatronPage=1 %]
|
|
</div>
|
|
</div>
|
|
<div class="span10">
|
|
<div id="userprivacy">
|
|
<h3>Your privacy management</h3>
|
|
|
|
[% IF deleted %]
|
|
<div class="alert alert-success">Your reading history has been deleted.</div>
|
|
[% ELSIF history_not_deleted %]
|
|
<div class="alert">The deletion of your reading history failed, because there is a problem with the configuration of this feature. Please help to fix the system by informing your library of this error</div>
|
|
[% ELSIF nothing_to_delete %]
|
|
<div class="alert">No reading history to delete</div>
|
|
[% END %]
|
|
|
|
[% IF ( privacy_updated ) %]
|
|
<div class="alert alert-success">Your privacy rules have been updated.</div>
|
|
[% END %]
|
|
|
|
[% IF ( Ask_data ) %]
|
|
<p>We take great care in protecting your privacy. On this screen, you can define how long we keep your reading history.</p>
|
|
<p>Your options are: <p>
|
|
<ul id="opac-privacy-options-list">
|
|
<li class="privacy0">Forever: keep my reading history without limit. This is the option for users who want to keep track of what they are reading.</li>
|
|
<li class="privacy1">Default: keep my reading history according to local laws. This is the default option : the library will keep your reading history for the duration permitted by local laws.</li>
|
|
<li class="privacy2">Never: Delete my reading history immediately. This will delete all record of the item that was checked-out upon check-in.</li>
|
|
</ul>
|
|
<p id="note1">Please note that information on any book still checked-out must be kept by the library no matter which privacy option you choose.</p>
|
|
<p id="note2">Please also note that the library staff can't update these values for you: it's your privacy!</p>
|
|
<form action="/cgi-bin/koha/opac-privacy.pl" method="post" id="opac-privacy-update-form">
|
|
<input type="hidden" name="op" value="update_privacy" />
|
|
<fieldset>
|
|
<label for="privacy">Please choose your privacy rule:</label>
|
|
<div>
|
|
<select name="privacy" id="privacy">
|
|
[% IF ( privacy0 ) %]
|
|
<option value="0" selected="selected" class="privacy0">Forever</option>
|
|
[% ELSE %]
|
|
<option value="0" class="privacy0">Forever</option>
|
|
[% END %]
|
|
[% IF ( privacy1 ) %]
|
|
<option value="1" selected="selected" class="privacy1">Default</option>
|
|
[% ELSE %]
|
|
<option value="1" class="privacy1">Default</option>
|
|
[% END %]
|
|
[% IF ( privacy2 ) %]
|
|
<option value="2" selected="selected" class="privacy2">Never</option>
|
|
[% ELSE %]
|
|
<option value="2" class="privacy2">Never</option>
|
|
[% END %]
|
|
</select>
|
|
</div>
|
|
|
|
[% IF borrower.guarantorid && Koha.Preference('AllowPatronToSetCheckoutsVisibilityForGuarantor') %]
|
|
<div>
|
|
<label for="privacy_guarantor_checkouts">Allow your guarantor to view your current checkouts?</label>
|
|
<select name="privacy_guarantor_checkouts">
|
|
[% IF borrower.privacy_guarantor_checkouts %]
|
|
<option value="0">No</option>
|
|
<option value="1" selected>Yes</option>
|
|
[% ELSE %]
|
|
<option value="0" selected>No</option>
|
|
<option value="1">Yes</option>
|
|
[% END %]
|
|
</select>
|
|
<span class="hint">
|
|
Your guarantor is <i>[% borrower.guarantor.firstname | html %] [% borrower.guarantor.surname | html %]</i>
|
|
</span>
|
|
</div>
|
|
[% END %]
|
|
|
|
<button type="Submit" class="btn">Save</button>
|
|
</fieldset>
|
|
</form>
|
|
<h2>Immediate deletion</h2>
|
|
<form action="/cgi-bin/koha/opac-privacy.pl" method="post" id="opac-privacy-delete-form">
|
|
<input type="hidden" name="op" value="delete_record" />
|
|
<p>Whatever your privacy rule you choose, you can delete all your reading history immediately by clicking here. <b>BE CAREFUL</b>. Once you've confirmed the deletion, no one can retrieve the list!</p>
|
|
<input type="submit" value="Immediate deletion" class="btn btn-danger" onclick="return confirmDelete(MSG_CONFIRM_AGAIN);" />
|
|
</form>
|
|
[% IF Koha.Preference('StoreLastBorrower') %]<p id="store-last-borrower-msg">Please note, the last person to return an item is tracked for the management of items returned damaged.</p>[% END %]
|
|
[% END # / IF Ask_data %]
|
|
</div> <!-- / .userprivacy -->
|
|
</div> <!-- / .span10 -->
|
|
</div> <!-- / .row-fluid -->
|
|
</div> <!-- / .container-fluid -->
|
|
</div> <!-- / .main -->
|
|
|
|
[% INCLUDE 'opac-bottom.inc' %]
|
|
[% BLOCK jsinclude %][% END %]
|