Chris Hall d2de76d60d bug 3652 fixing XSS vulnerabilities in opac-search
Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2012-10-24 15:44:07 +02:00

319 lines
15 KiB

[% INCLUDE 'doc-head-open.inc' %]
[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo;
[% IF ( searchdesc ) %]
Results of search [% IF ( query_desc ) %]for '[% query_desc | html %]'[% END %][% IF ( limit_desc ) %]&nbsp;with limit(s):&nbsp;'[% limit_desc | html %]'[% END %]
[% ELSE %]
You did not specify any search criteria.
[% END %]
[% INCLUDE 'doc-head-close.inc' %]
<link rel="alternate" type="application/rss+xml" title="Koha - RSS"
href="/cgi-bin/koha/opac-rss.pl?[% query_cgi %][% limit_cgi |html %]" />
<script type="text/javascript" src="[% themelang %]/lib/jquery/plugins/jquery.checkboxes.min.js"></script>
<script type="text/javascript">
var q_array = new Array(); // will hold the search terms, if possible
[% IF ( OpacHighlightedWords ) %]
$('a.title').each(function() {
$(this).attr('href', $(this).attr('href') + '&query_desc=[% query_desc | url %]');
[% END %]
$('#sort_by').change(function() {
$("span.clearall").html("<a id=\"CheckNone\" href=\"#\">Clear all</a>");
$("span.checkall").html("<a id=\"CheckAll\" href=\"#\">Select all</a>");
$("span.addto").html("<label for=\"addto\">Add to: </label><select name=\"addto\" id=\"addto\"><option value=\"\"></option>[% IF ( opacbookbag ) %]<option value=\"addtocart\">Cart</option>[% END %][% IF ( virtualshelves ) %][% IF ( loggedinusername ) %]<optgroup label=\"Lists:\">[% IF ( barshelves ) %][% FOREACH barshelvesloo IN barshelvesloop %][% IF ( category == 1 ) %]<option id=\"s[% barshelvesloo.shelfnumber %]\" value=\"addtolist\">[% barshelvesloo.shelfname %]</option>[% END %][% END %][% END %]<option value=\"newlist\">[ New list ]</option></optgroup>[% ELSE %]<option value=\"newlist\">List</option>[% END %][% END %]</select> <input type=\"submit\" class=\"submit\" value=\"Save\" />");
return false;
function cartList(){
if($("#addto").find("option:selected").attr("value") == "addtolist"){
var shelfnumber = $("#addto").find("option:selected").attr("id").replace("s","");
[% IF ( loggedinusername ) %]if (vShelfAdd()) {
Dopop('/cgi-bin/koha/opac-addbybiblionumber.pl?selectedshelf='+shelfnumber+'&' + vShelfAdd());
}[% ELSE %] alert(_('You must be logged in to create or add to Lists')); [% END %]
return false;
} else if($("#addto").find("option:selected").attr("value") == "newlist"){
[% IF ( loggedinusername ) %]if (vShelfAdd()) {
Dopop('/cgi-bin/koha/opac-addbybiblionumber.pl?newshelf=1&' + vShelfAdd());
}[% ELSE %] alert(_('You must be logged in to create or add to Lists')); [% END %]
return false;
if($("#addto").find("option:selected").attr("value") == "addtocart"){
return false;
return false;
return false;
[% IF ( query_desc ) %]
var query_desc = "[% query_desc |replace("'", "\'") |replace('\n', '\\n') |replace('\r', '\\r') |html %]";
q_array = query_desc.split(" ");
// ensure that we don't have "" at the end of the array, which can
// break the highlighter
while (q_array.length > 0 && q_array[q_array.length-1] == "") {
q_array = q_array.splice(0,-1);
$("#highlight_toggle_on" ).hide().click(function() {highlightOn() ;});
$("#highlight_toggle_off").show().click(function() {highlightOff();});
[% END %]
function highlightOff() {
function highlightOn() {
var x;
for (x in q_array) {
<body id="results">
[% INCLUDE 'masthead.inc' %]
<div id="doc3" class="yui-t1">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF ( koha_spsuggest ) %]
Did you mean:
<ul style="list-style: none;">
<a href="/cgi-bin/koha/opac-search.pl?q=[% SPELL_SUGGES.spsuggestion %]">[% SPELL_SUGGES.spsuggestion %]</a>
[% END %]
[% END %]
[% IF ( query_error ) %]
<div class="dialog alert">
[% query_error %]
[% END %]
<!-- Search Results Table -->
[% IF ( total ) %]
[% IF ( scan ) %]
<h1>Scan index:</h1>
<form action="/cgi-bin/koha/opac-search.pl" method="get">
Scan index for: <input type="text" name="q" id="scan-index" size="35" value="" />
<label for="scan-index">Indexed in:</label>
<select name="idx" id="scan-index">
<option value="">Any word</option>
<option value="kw,phr:">Any phrase</option>
<option value="ti:">Title</option>
<option value="ti,phr:">Title phrase</option>
<option value="au,phr:">Author</option>
<option value="su:">Subject</option>
<option value="su,phr:">Subject phrase</option>
<option value="se:">Series</option>
<option value="pb:">Publisher</option>
<option value="nt:">Notes</option>
<option value="se:">Series Title</option>
<option value="sn:">ISBN</option>
<option value="ss:">ISSN</option>
<input type="hidden" name="scan" value="1" />
<form action="/cgi-bin/koha/opac-search.pl" method="get">
[% IF ( SEARCH_RESULT.even ) %]
<tr class="highlight">
[% ELSE %]
[% END %]
<a href="/cgi-bin/koha/opac-search.pl?q=[% SEARCH_RESULT.scan_use |url %]&quot;[% SEARCH_RESULT.title |url %]&quot;">[% SEARCH_RESULT.title |html %]</a>
[% FOREACH subtitl IN SEARCH_RESULT.subtitle %]
[% subtitl.subfield %]
[% END %]
[% END %]
[% ELSE %]
<div class="searchresults">
<form action="/cgi-bin/koha/opac-search.pl" method="get" name="bookbag_form" id="bookbag_form">
[% IF ( searchdesc ) %]
<input type="hidden" name="[% QUERY_INPUT.input_name |html %]" value="[% QUERY_INPUT.input_value |html %]"/>
[% END %]
<input type="hidden" name="[% LIMIT_INPUT.input_name |html %]" value="[% LIMIT_INPUT.input_value |html %]"/>
[% END %]
[% END %]
<tr><td colspan="3" class="resultscontrol">
<div class="resort"> <select id="sort_by" name="sort_by"> [% INCLUDE 'resort_form.inc' %] </select> <input type="submit" class="submit clearfix" id="sortsubmit" value="Go" /></div>
[% IF ( opacbookbag || virtualshelves ) %]<div class="cartlist"><span class="checkall"></span>
<span class="clearall"></span>
<a href="#" class="highlight_toggle" id="highlight_toggle_off">Unhighlight</a>
<a href="#" class="highlight_toggle" id="highlight_toggle_on">Highlight</a>
<span class="addto"></span></div>
[% END %]
<!-- Actual Search Results -->
<tr class="grouplabel"><td colspan="3">[% SEARCH_RESULT.group_label %]</td></tr>
[% IF ( GROUP_RESULT.even ) %]
<tr class="highlight">
[% ELSE %]
[% END %]
<td>[% IF ( OPACAmazonCoverImages ) %]
<a class="p1" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% GROUP_RESULT.biblionumber |url %]">[% IF ( GROUP_RESULT.isbn ) %]<img src="http://images.amazon.com/images/P/[% GROUP_RESULT.isbn %].01.TZZZZZZZ.jpg" alt="" class="thumbnail" />[% ELSE %]<img src="http://g-images.amazon.com/images/G/01/x-site/icons/no-img-sm.gif" alt="" class="thumbnail" />[% END %]
[% ELSE %]
[% UNLESS ( noItemTypeImages ) %]
[% IF ( GROUP_RESULT.imageurl ) %]
<img src="[% GROUP_RESULT.imageurl %]" title="[% GROUP_RESULT.description %]" />
[% END %]
[% END %]
[% GROUP_RESULT.description %]
[% END %]
<td>[% GROUP_RESULT.result_number %]. [% IF ( GROUP_RESULT.BiblioDefaultViewmarc ) %]<a class="title" href="/cgi-bin/koha/opac-MARCdetail.pl?biblionumber=[% GROUP_RESULT.biblionumber |url %]" title="View details for this title">[% GROUP_RESULT.title %]
[% ELSE %]
[% IF ( GROUP_RESULT.BiblioDefaultViewisbd ) %]<a class="title" href="/cgi-bin/koha/opac-ISBDdetail.pl?biblionumber=[% GROUP_RESULT.biblionumber |url %]" title="View details for this title">[% GROUP_RESULT.title %]
[% ELSE %]<a class="title" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% GROUP_RESULT.biblionumber |url %]" title="View details for this title">[% GROUP_RESULT.title %]
[% END %]
[% FOREACH subtitl IN GROUP_RESULT.subtitle %]
[% subtitl.subfield %]
[% END %]
[% END %]
[% IF ( GROUP_RESULT.author ) %]by <a href="/cgi-bin/koha/opac-search.pl?q=au:[% GROUP_RESULT.author |url %]" title="Search for works by this author">[% GROUP_RESULT.author %]</a>
[% ELSE %]&nbsp;[% END %]
<p> [% IF ( GROUP_RESULT.publicationyear ) %] - [% GROUP_RESULT.publicationyear %][% END %]
[% IF ( GROUP_RESULT.publishercode ) %]- [% GROUP_RESULT.publishercode %][% END %]
[% IF ( GROUP_RESULT.place ) %] ; [% GROUP_RESULT.place %][% END %]
[% IF ( GROUP_RESULT.pages ) %] - [% GROUP_RESULT.pages %][% END %]
[% IF ( GROUP_RESULT.notes ) %] : [% GROUP_RESULT.notes %][% END %]
[% IF ( GROUP_RESULT.size ) %] ; [% GROUP_RESULT.size %][% END %]
[% IF ( GROUP_RESULT.timestamp ) %] <i>(modified on [% GROUP_RESULT.timestamp %])</i>[% END %]
[% IF ( GROUP_RESULT.searchhighlightblob ) %]<p class="searchhighlightblob">[% GROUP_RESULT.searchhighlightblob %]</p>[% END %]
<p class="availability">
[% IF ( GROUP_RESULT.available_items_loop ) %]
<span class="available"><strong>Copies available at:</strong>
[% FOREACH available_items_loo IN GROUP_RESULT.available_items_loop %]
[% IF ( available_items_loo.branchname ) %][% available_items_loo.branchname %][% END %]
[% IF ( OPACItemsResultsDisplay ) %]
[% IF ( available_items_loo.location ) %][% available_items_loo.location %][% END %]
[% IF ( available_items_loo.itemcallnumber ) %][<a href="/cgi-bin/koha/opac-search.pl?q=callnum:[% available_items_loo.itemcallnumber |url %]">[% available_items_loo.itemcallnumber %]</a>][% END %]
[% END %]
([% available_items_loo.count %]),
[% END %]
[% ELSE %]
<span class="unavailable">No items available:</span>
[% END %]
<span class="unavailable">
[% IF ( GROUP_RESULT.onloancount ) %] Checked out ([% GROUP_RESULT.onloancount %]), [% END %]
[% IF ( GROUP_RESULT.wthdrawncount ) %] Withdrawn ([% GROUP_RESULT.wthdrawncount %]), [% END %]
[% IF ( GROUP_RESULT.itemlostcount ) %] Lost ([% GROUP_RESULT.itemlostcount %]),[% END %]
[% IF ( GROUP_RESULT.damagedcount ) %] Damaged ([% GROUP_RESULT.damagedcount %]),[% END %]
[% IF ( GROUP_RESULT.orderedcount ) %] On order ([% GROUP_RESULT.orderedcount %]),[% END %]
[% IF ( GROUP_RESULT.intransitcount ) %] In transit ([% GROUP_RESULT.intransitcount %]),[% END %]
[% IF ( RequestOnOpac ) %]
[% UNLESS ( GROUP_RESULT.norequests ) %]
[% IF ( opacuserlogin ) %]
[% IF ( AllowOnShelfHolds ) %]
<a class="hold" href="/cgi-bin/koha/opac-reserve.pl?biblionumber=[% GROUP_RESULT.biblionumber %]">Place hold</a><!-- add back when available 0 holds in queue-->
[% ELSE %]
[% IF ( GROUP_RESULT.itemsissued ) %]
<a class="hold" href="/cgi-bin/koha/opac-reserve.pl?biblionumber=[% GROUP_RESULT.biblionumber %]">Place hold</a><!-- add back when available 0 holds in queue-->
[% END %]
[% END %]
[% END %]
[% END %]
[% END %]
[% IF ( opacbookbag || virtualshelves ) %]<input type="checkbox" name="biblionumber" value="[% GROUP_RESULT.biblionumber %]" title="Click to add to cart" /> <label for="bib[% GROUP_RESULT.biblionumber %]">[% END %]<img src="[% themelang %]/images/[% GROUP_RESULT.itemtype %].gif" alt="[% GROUP_RESULT.ccode %]" title="[% GROUP_RESULT.ccode %]" />[% IF ( opacbookbag || virtualshelves ) %]</label>[% END %] [% IF ( GROUP_RESULT.classification ) %]
<a href="/cgi-bin/koha/opac-search.pl?q=callnum:[% GROUP_RESULT.classification |url %]">
[% GROUP_RESULT.classification %]
[% END %]</p>
[% END %]
[% END %]
[% END %]
[% INCLUDE 'page-numbers.inc' %]
[% ELSE %]
[% END %]
[% IF ( suggestion ) %]
[% IF ( AnonSuggestions ) %]<div class="suggestion">Not finding what you're looking for?<br /> Make a <a href="/cgi-bin/koha/opac-suggestions.pl?op=add">purchase suggestion</a></div>[% ELSE %][% IF ( loggedinusername ) %]<div class="suggestion">Not finding what you're looking for?<br /> Make a <a href="/cgi-bin/koha/opac-suggestions.pl?op=add">purchase suggestion</a></div>[% END %][% END %]
[% END %]
<div class="yui-b">
[% IF ( opacfacets ) %]
[% INCLUDE 'opac-facets.inc' %]
[% END %]
<!-- FACETS END -->
[% INCLUDE 'opac-bottom.inc' %]