Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/circ/article-requests.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

473 lines
26 KiB
Text
Raw Blame History

[% USE KohaDates %]
[% USE ItemTypes %]
[% USE Branches %]
[% USE AuthorisedValues %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Circulation &rsaquo; Article requests</title>
[% INCLUDE 'doc-head-close.inc' %]
<style type="text/css"> p { margin-top: 0; } [id^="article-menu-"] { display: none; } [id^="article-menu-"]:before { content: "|"; }</style>
</head>
[% BLOCK actions %]
<div id="[% menuid | html %]" class="dropdown">
<a class="btn btn-default btn-xs dropdown-toggle ar-actions" role="button" data-toggle="dropdown" href="#">
Actions <b class="caret"></b>
</a>
<ul class="dropdown-menu [% pull_right | html %]" role="menu" aria-labelledby="[% aria_menu | html %]">
<li>
<a class="ar-process-request" href="#" onclick="HandleMulti( Process, [% id_arg | html %], $(this) ); return false;">
<i class="fa fa-cog"></i>
Process request
</a>
<a class="ar-complete-request" href="#" onclick="HandleMulti( Complete, [% id_arg | html %], $(this) ); return false;">
<i class="fa fa-check-circle"></i>
Complete request
</a>
<a class="ar-cancel-request" href="#" onclick="HandleMulti( Cancel, [% id_arg | html %], $(this) ); return false;">
<i class="fa fa-minus-circle"></i>
Cancel request
</a>
[% IF id_arg %][%# TODO: Does not work with multi-select %]
<a class="ar-print-request" href="#" onclick="HandleMulti( PrintSlip, [% id_arg | html %], $(this) ); return false;">
<i class="fa fa-print"></i>
Print slip
</a>
[% END %]
</li>
</ul>
</div>
[% END %]
<body id="circ_article-requests" class="circ">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a>
&rsaquo;
<a href="/cgi-bin/koha/circ/circulation-home.pl">Circulation</a>
&rsaquo;
<a href="/cgi-bin/koha/circ/article-requests.pl">Article requests</a>
</div>
<div class="main container-fluid">
<div class="row">
<div class="col-md-10 col-md-offset-1 col-lg-8 col-lg-offset-2">
<h1>Article requests</h1>
<form id="ar-branchcode-form" method="post">
<select name="branchcode" id="branchcode">
<option value="">All libraries</option>
[% FOREACH b IN Branches.all( only_from_group => 1 ) %]
[% IF b.branchcode == branchcode %]
<option value="[% b.branchcode | html %]" selected="selected">[% b.branchname | html %]</option>
[% ELSE %]
<option value="[% b.branchcode | html %]">[% b.branchname | html %]</option>
[% END %]
[% END %]
</select>
<button type="submit" class="btn btn-default btn-xs">
<i class="fa fa-refresh"></i> Update
</button>
</form>
<div id="article-request-tabs" class="toptabs">
<ul>
<li>
<a href="#article-requests-pending">
Pending (<span id="ar_pending_count">[% article_requests_pending.count | html %]</span>)
</a>
</li>
<li>
<a href="#article-requests-processing">
Processing (<span id="ar_processing_count">[% article_requests_processing.count | html %]</span>)
</a>
</li>
</ul>
<div id="article-requests-pending">
<div class="article-requests-pending_table_controls">
<a href="#" class="SelectAll"><i class="fa fa-check"></i> Select all</a> | <a href="#" class="ClearAll"><i class="fa fa-remove"></i> Clear all</a>
[% PROCESS actions menuid='article-menu-pending' id_arg=0 pull_right='' aria_menu='table_controls' %]
</div>
<table id="article-requests-pending-table">
<thead>
<tr>
<th/>
<th class="ar-title">Title</th>
<th class="ar-request">Requested article</th>
<th class="ar-collection">Collection</th>
<th class="ar-itemtype">Item type</th>
<th class="ar-callnumber">Call number</th>
<th class="ar-copynumber">Copy number</th>
<th class="ar-enumchron">Enumeration</th>
<th class="ar-barcode">Barcode</th>
<th class="ar-patron">Patron</th>
<th class="ar-date">Date</th>
<th class="ar-actions">Actions</th>
</tr>
</thead>
<tbody>
<tr class="ar-pending-none">
<td colspan="12">
There are no pending article requests at this time.
</td>
</tr>
[% FOREACH ar IN article_requests_pending %]
<tr class="ar-row ar-pending">
<td><input type="checkbox" reqid="[% ar.id | html %]"/></td>
<td class="ar-title">
<p>
<a href="/cgi-bin/koha/circ/request-article.pl?biblionumber=[% ar.biblionumber | html %]">
<strong>[% ar.biblio.title | html %]</strong>
[% FOREACH s IN itemsloo.subtitle %] [% s | html %][% END %]
</a>
</p>
<p>
<div class="ar-biblionumber content_hidden">[% ar.biblionumber | html %]</div>
<div class="ar-author">[% ar.biblio.author | html %]</div>
<div class="ar-pubdata">
[% ar.biblio.biblioitem.publishercode | html %]
[% IF ar.biblio.biblioitem.publicationyear %]
[% ar.biblio.biblioitem.publicationyear | html %]
[% ELSIF ar.biblio.copyrightdate %]
[% ar.biblio.copyrightdate | html %]
[% END %]
[% IF ar.biblio.biblioitem.pages %]
: [% ar.biblio.biblioitem.pages | html %]
[% END %]
[% r.biblio.biblioitem.size | html %]
[% IF ar.biblio.biblioitem.isbn %]
ISBN: [% ar.biblio.biblioitem.isbn | html %]
[% END %]
</div>
</p>
</td>
<td class="ar-request">
[% IF ar.title %] <p><strong>Title:</strong> [% ar.title | html %] </p> [% END %]
[% IF ar.author %] <p><strong>Author:</strong> [% ar.author | html %] </p> [% END %]
[% IF ar.volume %] <p><strong>Volume:</strong> [% ar.volume | html %] </p> [% END %]
[% IF ar.issue %] <p><strong>Issue:</strong> [% ar.issue | html %] </p> [% END %]
[% IF ar.date %] <p><strong>Date:</strong> [% ar.date | html %] </p> [% END %]
[% IF ar.pages %] <p><strong>Pages:</strong> [% ar.pages | html %] </p> [% END %]
[% IF ar.chapters %] <p><strong>Chapters:</strong> [% ar.chapters | html %] </p> [% END %]
[% IF ar.patron_notes %] <p><strong>Patron notes:</strong> [% ar.patron_notes | html %] </p> [% END %]
</td>
<td class="ar-collection">[% AuthorisedValues.GetByCode( 'CCODE', ar.item.ccode ) | html %]</td>
<td class="ar-itemtype">[% ItemTypes.GetDescription( ar.item.effective_itemtype ) | html %]</td>
<td class="ar-callnumber">
[% IF ar.item.location %]
<em>[% AuthorisedValues.GetByCode( 'LOC', ar.item.location ) | html %]</em>
[% END %]
[% ar.item.itemcallnumber | html %]
</td>
<td class="ar-copynumber">[% ar.item.copynumber | html %]</td>
<td class="ar-enumchron">[% ar.item.enumchron | html %]</td>
<td class="ar-barcode">[% ar.item.barcode | html %]</td>
<td class="ar-patron">
<p>
<a href="/cgi-bin/koha/circ/circulation.pl?findborrower=[% ar.borrower.cardnumber | html %]">
[% ar.borrower.surname | html %][% IF ar.borrower.firstname %], [% ar.borrower.firstname | html %][% END %] ([% ar.borrower.cardnumber | html %])
</a>
</p>
<p>[% ar.borrower.phone | html %]</p>
</td>
<td class="ar-date"><span title="[% ar.created_on | html %]">[% ar.created_on | $KohaDates %]</span></td>
<td class="ar-actions">
<div class="dropdown">
[% PROCESS actions menuid = "row" _ ar.id id_arg=ar.id pull_right='pull-right' aria_menu='ar-actions' %]
</div>
</td>
</tr>
[% END %]
</tbody>
</table>
</div>
<div id="article-requests-processing">
<div class="article-requests-processing_table_controls">
<a href="#" class="SelectAll"><i class="fa fa-check"></i> Select all</a> | <a href="#" class="ClearAll"><i class="fa fa-remove"></i> Clear all</a>
[% PROCESS actions menuid='article-menu-processing' id_arg=0 pull_right='' aria_menu='table_controls' %]
</div>
<table id="article-requests-processing-table">
<thead>
<tr>
<th/>
<th class="ar-title">Title</th>
<th class="ar-request">Requested article</th>
<th class="ar-collection">Collection</th>
<th class="ar-itemtype">Item type</th>
<th class="ar-callnumber">Call number</th>
<th class="ar-copynumber">Copy number</th>
<th class="ar-enumchron">Enumeration</th>
<th class="ar-barcode">Barcode</th>
<th class="ar-patron">Patron</th>
<th class="ar-date">Date</th>
<th class="ar-actions">Actions</th>
</tr>
</thead>
<tbody>
<tr class="ar-processing-none">
<td colspan="12">
There are no article requests in processing at this time.
</td>
</tr>
[% FOREACH ar IN article_requests_processing %]
<tr class="ar-row ar-processing">
<td><input type="checkbox" reqid="[% ar.id | html %]"/></td>
<td class="ar-title">
<p>
<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% ar.biblionumber | html %]">
<strong>[% ar.biblio.title | html %]</strong>
[% FOREACH s IN itemsloo.subtitle %] [% s | html %][% END %]
</a>
</p>
<p>
<div class="ar-biblionumber content_hidden">[% ar.biblionumber | html %]</div>
<div class="ar-author">[% ar.biblio.author | html %]</div>
<div class="ar-pubdata">
[% ar.biblio.biblioitem.publishercode | html %]
[% IF ar.biblio.biblioitem.publicationyear %]
[% ar.biblio.biblioitem.publicationyear | html %]
[% ELSIF ar.biblio.copyrightdate %]
[% ar.biblio.copyrightdate | html %]
[% END %]
[% IF ar.biblio.biblioitem.pages %]
: [% ar.biblio.biblioitem.pages | html %]
[% END %]
[% r.biblio.biblioitem.size | html %]
[% IF ar.biblio.biblioitem.isbn %]
ISBN: [% ar.biblio.biblioitem.isbn | html %]
[% END %]
</div>
</p>
</td>
<td class="ar-request">
[% IF ar.title %] <p><strong>Title:</strong> [% ar.title | html %] </p> [% END %]
[% IF ar.author %] <p><strong>Author:</strong> [% ar.author | html %] </p> [% END %]
[% IF ar.volume %] <p><strong>Volume:</strong> [% ar.volume | html %] </p> [% END %]
[% IF ar.issue %] <p><strong>Issue:</strong> [% ar.issue | html %] </p> [% END %]
[% IF ar.date %] <p><strong>Date:</strong> [% ar.date | html %] </p> [% END %]
[% IF ar.pages %] <p><strong>Pages:</strong> [% ar.pages | html %] </p> [% END %]
[% IF ar.chapters %] <p><strong>Chapters:</strong> [% ar.chapters | html %] </p> [% END %]
[% IF ar.patron_notes %] <p><strong>Patron notes:</strong> [% ar.patron_notes | html %] </p> [% END %]
</td>
<td class="ar-collection">[% AuthorisedValues.GetByCode( 'CCODE', ar.item.ccode ) | html %]</td>
<td class="ar-itemtype">[% ItemTypes.GetDescription( ar.item.effective_itemtype ) | html %]</td>
<td class="ar-callnumber">
[% IF ar.item.location %]
<em>[% AuthorisedValues.GetByCode( 'LOC', ar.item.location ) | html %]</em>
[% END %]
[% ar.item.itemcallnumber | html %]
</td>
<td class="ar-copynumber">[% ar.item.copynumber | html %]</td>
<td class="ar-enumchron">[% ar.item.enumchron | html %]</td>
<td class="ar-barcode">[% ar.item.barcode | html %]</td>
<td class="ar-patron">
<p>
<a href="/cgi-bin/koha/circ/circulation.pl?findborrower=[% ar.borrower.cardnumber | html %]">
[% ar.borrower.surname | html %][% IF ar.borrower.firstname %], [% ar.borrower.firstname | html %][% END %] ([% ar.borrower.cardnumber | html %])
</a>
</p>
<p>[% ar.borrower.phone | html %]</p>
</td>
<td class="ar-date"><span title="[% ar.created_on | html %]">[% ar.created_on | $KohaDates %]</span></td>
<td class="ar-actions">
<div class="dropdown">
[% PROCESS actions menuid="table_" _ ar.id id_arg=ar.id pull_right='pull-right' aria_menu='ar-actions' %]
</div>
</td>
</tr>
[% END %]
</tbody>
</table>
</div>
<br/>
</div>
</div>
</div>
</div>
[% MACRO jsinclude BLOCK %]
<script>
var active_table = "#article-requests-pending";
var last_cancel_reason;
$(document).ready(function() {
$('#article-request-tabs').tabs({
activate: function( activate_event, activate_ui ) {
active_table = activate_ui.newPanel.selector;
activateBatchActions( active_table );
},
create: function( create_event, create_ui ){
active_table = create_ui.panel.selector;
},
});
activateBatchActions( active_table );
[% IF article_requests_pending.count %]
$(".ar-pending-none").hide();
[% END %]
[% IF article_requests_processing.count %]
$(".ar-processing-none").hide();
[% END %]
$( "input:checkbox", active_table ).on("change", function(){
activateBatchActions( active_table );
});
$(".SelectAll").on("click", function(e) {
e.preventDefault();
$( active_table + " input[type='checkbox']").prop('checked', true);
activateBatchActions( active_table );
});
$(".ClearAll").on("click", function(e) {
e.preventDefault();
$( active_table + " input[type='checkbox']").prop('checked', false);
activateBatchActions( active_table );
});
$("a.ar-actions").on('click', function(e) {
// Hide menu option ?
if( $('#article-requests-processing-table').is(":visible") )
$('a.ar-process-request').hide();
else $('a.ar-process-request').show();
});
});
function activateBatchActions( active_table ){
// Check to see whether batch menu should be shown based on state of checkboxes
if ( $( "input:checkbox", active_table ).length > 0 ) {
// There are rows with checkboxes
$( "[class$='_table_controls']", active_table ).show();
if ( $( "input:checkbox:checked", active_table ).length > 0 ) {
$( "[id^='article-menu-']", active_table ).css("display","inline-block");
} else {
$( "[id^='article-menu-']", active_table ).hide();
}
} else {
// All rows have been removed
$("[class$='_table_controls']", active_table ).hide();
}
}
function HandleMulti( fnHandler, id, a ) {
last_cancel_reason = undefined;
if( id !== 0 ) { fnHandler( id, a ); return; }
$( active_table + " input[type='checkbox']:checked").each(function() {
fnHandler( $(this).attr('reqid'), $(this).closest('tr').find('td.ar-actions div a') );
});
}
function PrintSlip(id, a) {
var link = 'article-request-slip.pl?id='+id;
window.open(link, 'popup', 'width=600,height=400,resizable=1,toolbar=0,scrollbars=1,top');
}
function Cancel( id, a ) {
// last_cancel_reason: undefined means 'prompt for new reason'
// a null value indicates that prompt was cancelled
if( last_cancel_reason === undefined ) last_cancel_reason = prompt(_("Please specify the reason for cancelling selected item(s):"));
if ( last_cancel_reason === null ) {
return;
}
a.closest('td').prepend('<img src="[% interface | html %]/[% theme | html %]/img/spinner-small.gif"/>').find('div.dropdown').hide();
$.ajax({
type: "POST",
url: '/cgi-bin/koha/svc/article_request',
data: {
action: 'cancel',
id: id,
notes: last_cancel_reason
},
success: function( data ) {
a.closest('tr').remove();
UpdateTabCounts();
activateBatchActions( active_table );
},
dataType: 'json'
});
}
function Process( id, a ) {
var table_row = a.closest('tr').clone();
table_row.find('.ar-process-request').remove();
table_row.find('input[type="checkbox"]').prop('checked', false);
a.closest('td').prepend('<img src="[% interface | html %]/[% theme | html %]/img/spinner-small.gif"/>').find('div.dropdown').hide();
$.ajax({
type: "POST",
url: '/cgi-bin/koha/svc/article_request',
data: {
action: 'process',
id: id,
},
success: function( data ) {
a.closest('tr').remove();
$("#article-requests-processing-table").append( table_row );
$("#article-requests-processing-table .ar-processing-none").hide();
UpdateTabCounts();
activateBatchActions( active_table );
},
dataType: 'json'
});
}
function Complete( id, a ) {
a.closest('td').prepend('<img src="[% interface | html %]/[% theme | html %]/img/spinner-small.gif"/>').find('div.dropdown').hide();
$.ajax({
type: "POST",
url: '/cgi-bin/koha/svc/article_request',
data: {
action: 'complete',
id: id,
},
success: function( data ) {
a.closest('tr').remove();
UpdateTabCounts();
activateBatchActions( active_table );
},
dataType: 'json'
});
}
function UpdateTabCounts() {
var pending_count = $('#article-requests-pending-table tbody tr.ar-row').length;
$("#ar_pending_count").html( pending_count );
if ( pending_count == 0 ) $(".ar-pending-none").show();
var processing_count = $('#article-requests-processing-table tbody tr.ar-row').length;
$("#ar_processing_count").html( processing_count );
if ( processing_count == 0 ) $(".ar-processing-none").show();
}
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink