Koha/koha-tmpl/intranet-tmpl/prog/en/modules/common/patron_search.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

256 lines
10 KiB
Text

[% USE raw %]
[% USE Asset %]
[% USE Koha %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patron search</title>
[% INCLUDE 'doc-head-close.inc' %]
[% Asset.css("css/datatables.css") | $raw %]
</head>
<body id="common_patron_search" class="common">
<div id="patron_search" class="yui-t7">
<div class="container-fluid">
<form id="searchform">
<fieldset class="brief">
<h3>Search for patron</h3>
<ol>
<li>
<label for="searchmember_filter">Search:</label>
<input type="text" id="searchmember_filter" value="[% searchmember | html %]"/>
</li>
<li>
<label for="categorycode_filter">Category:</label>
<select id="categorycode_filter">
<option value="">Any</option>
[% FOREACH category IN categories %]
<option value="[% category.categorycode | html %]">[% category.description | html %]</option>
[% END %]
</select>
</li>
<li>
<label for="branchcode_filter">Library:</label>
<select id="branchcode_filter">
[% SET libraries = Branches.all( only_from_group => 1 ) %]
[% IF libraries.size != 1 %]
<option value="">Any</option>
[% END %]
[% FOREACH l IN libraries %]
<option value="[% l.branchcode | html %]">[% l.branchname | html %]</option>
[% END %]
</select>
</li>
</ol>
<fieldset class="action">
<input type="submit" value="Search" />
</fieldset>
</fieldset>
</form>
[% IF patrons_with_acq_perm_only %]
<div class="hint">Only staff with superlibrarian or acquisitions permissions (or order_manage permission if granular permissions are enabled) are returned in the search results</div>
[% END %]
<div class="browse">
Browse by last name:
[% FOREACH letter IN alphabet.split(' ') %]
<a href="#" class="filterByLetter">[% letter | html %]</a>
[% END %]
</div>
<div id="info" class="dialog message"></div>
<div id="error" class="dialog alert"></div>
<input type="hidden" id="firstletter_filter" value="" />
<div id="searchresults">
<table id="memberresultst">
<thead>
<tr>
[% FOR column IN columns %]
[% SWITCH column %]
[% CASE 'cardnumber' %]<th>Card</th>
[% CASE 'dateofbirth' %]<th>Date of birth</th>
[% CASE 'address' %]<th>Address</th>
[% CASE 'name' %]<th>Name</th>
[% CASE 'branch' %]<th>Library</th>
[% CASE 'category' %]<th>Category</th>
[% CASE 'dateexpiry' %]<th>Expires on</td>
[% CASE 'borrowernotes' %]<th>Notes</th>
[% CASE 'action' %]<th>&nbsp;</th>
[% END %]
[% END %]
</tr>
</thead>
<tbody></tbody>
</table>
</div>
<div id="closewindow"><a href="#" class="btn btn-default btn-default close">Close</a></div>
[% MACRO jsinclude BLOCK %]
[% INCLUDE 'datatables.inc' %]
<script type="text/javascript">
var search = 1;
$(document).ready(function(){
$("#info").hide();
$("#error").hide();
[% IF view != "show_results" %]
$("#searchresults").hide();
search = 0;
[% END %]
// Apply DataTables on the results table
dtMemberResults = $("#memberresultst").dataTable($.extend(true, {}, dataTablesDefaults, {
'bServerSide': true,
'sAjaxSource': "/cgi-bin/koha/svc/members/search",
'fnServerData': function(sSource, aoData, fnCallback) {
if ( ! search ) {
return;
}
aoData.push({
'name': 'searchmember',
'value': $("#searchmember_filter").val()
},{
'name': 'firstletter',
'value': $("#firstletter_filter").val()
},{
'name': 'categorycode',
'value': $("#categorycode_filter").val()
},{
'name': 'branchcode',
'value': $("#branchcode_filter").val()
},{
'name': 'name_sorton',
'value': 'borrowers.surname borrowers.firstname'
},{
'name': 'category_sorton',
'value': 'categories.description',
},{
'name': 'branch_sorton',
'value': 'branches.branchname'
},{
'name': 'template_path',
'value': '[% json_template | html %]',
},{
'name': 'selection_type',
'value': '[% selection_type | html %]',
}
[% IF patrons_with_acq_perm_only %]
,{
'name': 'has_permission',
'value': 'acquisition.order_manage',
}
[% END %]
);
$.ajax({
'dataType': 'json',
'type': 'POST',
'url': sSource,
'data': aoData,
'success': function(json){
fnCallback(json);
}
});
},
'aoColumns':[
[% FOR column IN columns %]
[% IF column == 'action' %]
{ 'mDataProp': 'dt_action', 'bSortable': false, 'sClass': 'actions' }
[% ELSIF column == 'address' %]
{ 'mDataProp': 'dt_address', 'bSortable': false }
[% ELSE %]
{ 'mDataProp': 'dt_[% column | html %]' }
[% END %]
[% UNLESS loop.last %],[% END %]
[% END %]
],
'bAutoWidth': false,
[% IF patrons_with_acq_perm_only %]
'bPaginate': false,
[% ELSE %]
'sPaginationType': 'full_numbers',
"iDisplayLength": [% Koha.Preference('PatronsPerPage') | html %],
[% END %]
'aaSorting': [[[% aaSorting || 0 | html %], 'asc']],
'bFilter': false,
'bProcessing': true,
}));
$("#searchform").on('submit', filter);
$(".filterByLetter").on("click",function(e){
e.preventDefault();
filterByFirstLetterSurname($(this).text());
});
$("body").on("click",".add_user",function(e){
e.preventDefault();
var borrowernumber = $(this).data("borrowernumber");
var firstname = $(this).data("firstname");
var surname = $(this).data("surname");
add_user( borrowernumber, firstname + " " + surname );
});
$("body").on("click",".select_user",function(e){
e.preventDefault();
var borrowernumber = $(this).data("borrowernumber");
var borrower_data = $("#borrower_data"+borrowernumber).val();
select_user( borrowernumber, JSON.parse(borrower_data) );
});
});
function filter() {
search = 1;
$("#firstletter_filter").val('');
$("#searchresults").show();
dtMemberResults.fnDraw();
return false;
}
// User has clicked on a letter
function filterByFirstLetterSurname(letter) {
$("#firstletter_filter").val(letter);
search = 1;
$("#searchresults").show();
dtMemberResults.fnDraw();
}
// modify parent window owner element
[% IF selection_type == 'add' %]
function add_user(borrowernumber, borrowername) {
var p = window.opener;
// In one place (serials/routing.tt), the page is reload on every add
// We have to wait for the page to be there
function wait_for_opener () {
if ( ! $(opener.document).find('body').size() ) {
setTimeout(wait_for_opener, 500);
} else {
[%# Note that add_user could sent data instead of borrowername too %]
$("#info").hide();
$("#error").hide();
if ( p.add_user(borrowernumber, borrowername) < 0 ) {
$("#error").html(_("Patron '%s' is already in the list.").format(borrowername));
$("#error").show();
} else {
$("#info").html(_("Patron '%s' added.").format(borrowername));
$("#info").show();
}
}
}
wait_for_opener();
}
[% ELSIF selection_type == 'select' %]
function select_user(borrowernumber, data) {
var p = window.opener;
p.select_user(borrowernumber, data);
window.close();
}
[% END %]
</script>
[% END %]
[% SET popup_window = 1 %]
[% INCLUDE 'intranet-bottom.inc' %]