d31c635fe2
To Test 1. Hit the page /cgi-bin/koha/acqui/basketheader.pl?booksellerid=1&op=add_form 2. Add a text in the field Basket name, Internal note, Vendor note that contains java script 3. Save the page 4. Notice js is execute 5. Apply patch, reload, js is escaped. Fixed XSS on pages basket.pl/basketheader.pl/bookseller.pl Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
126 lines
5.8 KiB
Text
126 lines
5.8 KiB
Text
[% USE Branches %]
|
|
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>Koha › Acquisitions ›
|
|
[% IF ( add_form ) %]
|
|
[% IF ( basketno ) %]Edit basket '[% basketname %]'
|
|
[% ELSE %]Add a basket to [% booksellername %]
|
|
[% END %]
|
|
[% END %]
|
|
</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
<script type="text/javascript" src="[% interface %]/[% theme %]/js/acq.js"></script>
|
|
</head>
|
|
<body id="acq_basketheader" class="acq">
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'acquisitions-search.inc' %]
|
|
|
|
<div id="breadcrumbs">
|
|
<a href="/cgi-bin/koha/mainpage.pl">Home</a> ›
|
|
<a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> ›
|
|
<a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">[% booksellername %]</a> ›
|
|
[% IF ( add_form ) %]
|
|
[% IF ( basketno ) %]Edit basket '[% basketname |html %]'
|
|
[% ELSE %]Add a basket to [% booksellername %]
|
|
[% END %]
|
|
[% END %]
|
|
</div>
|
|
|
|
<div id="doc" class="yui-t7">
|
|
<div id="bd">
|
|
|
|
<div id="yui-main">
|
|
|
|
[% IF ( add_form ) %]
|
|
[% IF ( basketno ) %]
|
|
<h1>Edit basket [% basketname |html %]</h1>
|
|
[% ELSE %]<h1>Add a basket to [% booksellername %]</h1>
|
|
[% END %]
|
|
<form name="Aform" action="[% script_name %]" method="post" class="validated">
|
|
<input type="hidden" name="booksellerid" value="[% booksellerid %]" />
|
|
<fieldset class="rows">
|
|
<ol>
|
|
[% IF ( basketno ) %]
|
|
<li>
|
|
<input type="hidden" name="basketno" value="[% basketno %]" />
|
|
<input type="hidden" name="is_an_edit" value="1" />
|
|
</li>
|
|
[% END %]
|
|
<li>
|
|
<label for="basketname" class="required">Basket name: </label>
|
|
<input type="text" name="basketname" id="basketname" size="40" maxlength="80" value="[% basketname %]" required="required" class="required" />
|
|
<span class="required">Required</span>
|
|
</li>
|
|
<li>
|
|
<label for="billingplace">Billing place:</label>
|
|
<select name="billingplace" id="billingplace">
|
|
<option value="">--</option>
|
|
[% PROCESS options_for_libraries libraries => Branches.all( selected => billingplace ) %]
|
|
</select>
|
|
</li>
|
|
<li>
|
|
<label for="deliveryplace">Delivery place:</label>
|
|
<select name="deliveryplace" id="deliveryplace">
|
|
<option value="">--</option>
|
|
[% PROCESS options_for_libraries libraries => Branches.all( selected => deliveryplace ) %]
|
|
</select>
|
|
</li>
|
|
<li>
|
|
<label for="basketbooksellerid">Vendor: </label>
|
|
<select name="basketbooksellerid" id="basketbooksellerid">
|
|
[% FOREACH b IN booksellers %]
|
|
[% IF booksellerid == b.id %]
|
|
<option value="[% b.id %]" selected="selected">[% b.name %]</option>
|
|
[% ELSE %]
|
|
<option value="[% b.id %]">[% b.name %]</option>
|
|
[% END %]
|
|
[% END %]
|
|
</select>
|
|
</li>
|
|
<li>
|
|
<label for="basketnote">Internal note: </label>
|
|
<textarea name="basketnote" id="basketnote" rows="5" cols="40">[% basketnote |html %]</textarea>
|
|
</li>
|
|
<li>
|
|
<label for="basketbooksellernote">Vendor note: </label>
|
|
<textarea name="basketbooksellernote" id="basketbooksellernote" rows="5" cols="40">[% basketbooksellernote |html %]</textarea>
|
|
</li>
|
|
[% IF ( contractloop ) %]
|
|
<li><label for="basketcontractnumber">Contract: </label>
|
|
<select id="basketcontractnumber" name="basketcontractnumber">
|
|
<option value=""></option>
|
|
[% FOREACH contractloo IN contractloop %]
|
|
[% IF ( contractloo.selected ) %]
|
|
<option value="[% contractloo.contractnumber %]" selected="selected">[% contractloo.contractname %]</option>
|
|
[% ELSE %]
|
|
<option value="[% contractloo.contractnumber %]">[% contractloo.contractname %]</option>
|
|
[% END %]
|
|
[% END %]
|
|
</select>
|
|
</li>
|
|
[% END %]
|
|
<li>
|
|
<label for="is_standing">Orders are standing:</label>
|
|
[% IF is_standing %]
|
|
<input type="checkbox" id="is_standing" name="is_standing" checked="checked" />
|
|
[% ELSE %]
|
|
<input type="checkbox" id="is_standing" name="is_standing"/>
|
|
[% END %]
|
|
<div class="hint">Standing orders do not close when received.</div>
|
|
</li>
|
|
</ol>
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<input type="hidden" name="op" value="add_validate" />
|
|
<input type="submit" value="Save" />
|
|
[% IF ( basketno ) %]
|
|
<a class="cancel" href="/cgi-bin/koha/acqui/basket.pl?basketno=[% basketno %]">Cancel</a>
|
|
[% ELSE %]
|
|
<a class="cancel" href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid %]">Cancel</a>
|
|
[% END %]
|
|
</fieldset>
|
|
</form>
|
|
[% END %]
|
|
</div>
|
|
</div>
|
|
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|