861cec5773
1. Hit /cgi-bin/koha/tools/batchMod.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> in the Barcode list (one barcode per line) text area.
3. Notice the iframe is executed.
4. Apply patch.
5. Reload page, and enter iframe again on Barcode list (one barcode per line) text area.
6. Notice it is no longer executed.
7. Fixes for both barcode and itemnumber.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
279 lines
13 KiB
Text
279 lines
13 KiB
Text
[% USE Koha %]
|
|
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>Koha › Tools › Batch item modification</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
<script type="text/javascript" src="[% interface %]/[% theme %]/js/background-job-progressbar.js"></script>
|
|
<script type="text/javascript" src="[% interface %]/[% theme %]/js/cataloging.js"></script>
|
|
<link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/css/datatables.css" />
|
|
[% INCLUDE 'datatables.inc' %]
|
|
<script type="text/javascript" src="[% interface %]/lib/jquery/plugins/jquery.checkboxes.min.js"></script>
|
|
<script type="text/javascript" src="[% interface %]/[% theme %]/js/pages/batchMod.js"></script>
|
|
<script type="text/javascript">
|
|
//<![CDATA[
|
|
|
|
// Prepare array of all column headers, incrementing each index by
|
|
// two to accommodate control and title columns
|
|
var allColumns = new Array([% FOREACH item_header_loo IN item_header_loop %]'[% loop.count %]'[% UNLESS ( loop.last ) %],[% END %][% END %]);
|
|
for( x=0; x<allColumns.length; x++ ){
|
|
allColumns[x] = Number(allColumns[x]) + 2;
|
|
}
|
|
$(document).ready(function(){
|
|
|
|
$("input[name='disable_input']").click(function() {
|
|
var row = $(this).attr("id");
|
|
row = row.replace("row","hint");
|
|
var editor = $(this).parent().find("[name='field_value']");
|
|
if ($(this).is(":checked")) {
|
|
$(editor).prop('disabled', true);
|
|
$("#"+row).html(_("This subfield will be deleted"));
|
|
} else {
|
|
$(editor).prop('disabled', false);
|
|
$("#"+row).html("");
|
|
}
|
|
});
|
|
$("#mainformsubmit").on("click",function(){
|
|
return submitBackgroundJob(this.form);
|
|
});
|
|
});
|
|
//]]>
|
|
</script>
|
|
<!--[if IE]>
|
|
<style type="text/css">#selections { display: none; }</style>
|
|
<![endif]-->
|
|
<style type="text/css">input[type=checkbox]{ margin : 0 .5em; }</style>
|
|
<link type="text/css" rel="stylesheet" href="[% interface %]/[% theme %]/css/addbiblio.css" />
|
|
|
|
[% INCLUDE 'select2.inc' %]
|
|
<script type="text/javascript">
|
|
$(document).ready(function() {
|
|
$('.subfield_line select').select2();
|
|
});
|
|
</script>
|
|
|
|
</head>
|
|
<body id="tools_batchMod-edit" class="tools">
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'cat-search.inc' %]
|
|
|
|
<div id="breadcrumbs">
|
|
<a href="/cgi-bin/koha/mainpage.pl">Home</a> ›
|
|
<a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a> ›
|
|
<a href="/cgi-bin/koha/tools/batchMod.pl">Batch item modification</a>
|
|
</div>
|
|
|
|
<div id="doc3" class="yui-t7">
|
|
<div id="bd">
|
|
<div id="yui-main">
|
|
[% IF ( show ) %]
|
|
<h1>Batch item modification</h1>
|
|
[% ELSE %]
|
|
<h1>Batch item modification results</h1>
|
|
<div class="dialog message">
|
|
[% IF (modified_items) %]
|
|
[% modified_items %] item(s) modified (with [% modified_fields %] field(s) modified).
|
|
[% ELSE %]
|
|
No items modified.
|
|
[% END %]
|
|
<fieldset class="action">
|
|
[% IF src == 'CATALOGUING' # from catalogue/detail.pl > Edit items in a batch%]
|
|
<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% biblionumber %]">Return to the record</a>
|
|
[% ELSIF src %]
|
|
<a href="[% src %]">Return to where you were</a>
|
|
[% ELSE %]
|
|
<a href="/cgi-bin/koha/tools/batchMod.pl">Return to batch item modification</a>
|
|
[% END %]
|
|
</fieldset>
|
|
</div>
|
|
[% END %]
|
|
[% IF ( barcode_not_unique ) %]<div class="dialog alert"><strong>Error saving item</strong>: Barcode must be unique.</div>[% END %]
|
|
[% IF ( no_next_barcode ) %]<div class="dialog alert"><strong>Error saving items</strong>: Unable to automatically determine values for barcodes. No item has been inserted.</div>[% END %]
|
|
[% IF ( book_on_loan ) %]<div class="dialog alert"><strong>Cannot Delete</strong>: item is checked out.</div>[% END %]
|
|
[% IF ( book_reserved ) %]<div class="dialogalert"><strong>Cannot Delete</strong>: item has a waiting hold.</div>[% END %]
|
|
|
|
[% IF ( notfoundbarcodes ) %]
|
|
<div class="dialog alert"><p>Warning, the following barcodes were not found:</p></div>
|
|
<table style="margin:auto;">
|
|
<thead>
|
|
<tr><th>Barcodes not found</th></tr>
|
|
</thead>
|
|
<tbody>
|
|
[% FOREACH notfoundbarcode IN notfoundbarcodes %]
|
|
<tr><td>[% notfoundbarcode.barcode |html %]</td></td>
|
|
[% END %]
|
|
</tbody>
|
|
</table>
|
|
[% IF ( item_loop ) %]
|
|
[% UNLESS ( too_many_items ) %]
|
|
<h4>The following barcodes were found: </h4>
|
|
[% END %]
|
|
[% END %]
|
|
[% END %] <!-- /notfoundbarcodes -->
|
|
|
|
<form name="f" action="batchMod.pl" method="post">
|
|
<input type="hidden" name="op" value="[% op %]" />
|
|
<input type="hidden" name="uploadedfileid" id="uploadedfileid" value="" />
|
|
<input type="hidden" name="runinbackground" id="runinbackground" value="" />
|
|
<input type="hidden" name="completedJobID" id="completedJobID" value="" />
|
|
<input type="hidden" name="src" id="src" value="[% src %]" />
|
|
[% IF biblionumber %]
|
|
<input type="hidden" name="biblionumber" id="biblionumber" value="[% biblionumber %]" />
|
|
[% END %]
|
|
|
|
[% IF ( item_loop ) %]
|
|
[% IF show %]
|
|
<div id="toolbar">
|
|
<a id="selectallbutton" href="#"><i class="fa fa-check"></i> Select all</a> | <a id="clearallbutton" href="#"><i class="fa fa-remove"></i> Clear all</a> | <a id="clearonloanbutton" href="#">Clear on loan</a>
|
|
</div>
|
|
[% END %]
|
|
<div id="cataloguing_additem_itemlist">
|
|
|
|
<p id="selections"><strong>Show/hide columns:</strong> <span class="selected"><input type="checkbox" checked="checked" id="showall"/><label for="showall">Show all columns</label></span> <span><input type="checkbox" id="hideall"/><label for="hideall">Hide all columns</label></span>
|
|
[% FOREACH item_header_loo IN item_header_loop %]
|
|
<span class="selected"><input id="checkheader[% loop.count %]" type="checkbox" checked="checked" /> <label for="checkheader[% loop.count %]">[% item_header_loo.header_value %]</label> </span>
|
|
[% END %]
|
|
</p>
|
|
<table id="itemst">
|
|
<thead>
|
|
<tr>
|
|
<th> </th>
|
|
<th class="anti-the">Title</th>
|
|
[% FOREACH item_header_loo IN item_header_loop %]
|
|
<th> [% item_header_loo.header_value %] </th>
|
|
[% END %]
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
[% FOREACH item_loo IN item_loop %]
|
|
<tr>
|
|
[% IF show %]
|
|
[% IF item_loo.nomod %]
|
|
<td class="error">Cannot edit</td>
|
|
[% ELSE %]
|
|
<td><input type="checkbox" name="itemnumber" value="[% item_loo.itemnumber %]" id="row[% item_loo.itemnumber %]" checked="checked" data-is-onloan="[% item_loo.onloan %]" /></td>
|
|
[% END %]
|
|
[% ELSE %]
|
|
<td> </td>
|
|
[% END %]
|
|
<td><label for="row[% item_loo.itemnumber %]"><a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% item_loo.biblionumber %]">[% item_loo.title %]</a>[% IF ( item_loo.author ) %], by [% item_loo.author %][% END %]</label></td>
|
|
[% FOREACH item_valu IN item_loo.item_value %] <td>[% item_valu.field |html %]</td>
|
|
[% END %] </tr>
|
|
[% END %]
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
[% END %]<!-- /item_loop -->
|
|
|
|
[% IF ( simple_items_display ) %]
|
|
<p>The following items were modified:</p>
|
|
<ul>
|
|
[% FOREACH simple_items_displa IN simple_items_display %]
|
|
<li>
|
|
[% IF ( CAN_user_editcatalogue_edit_items ) %]<a href="/cgi-bin/koha/cataloguing/additem.pl?op=edititem&biblionumber=[% simple_items_displa.biblionumber %]&itemnumber=[% simple_items_displa.itemnumber %]">[% simple_items_displa.barcode %]</a>[% ELSE %][% simple_items_displa.barcode %][% END %]
|
|
</li>
|
|
[% END %]
|
|
</ul>
|
|
[% END %]<!-- /simple_items_display -->
|
|
|
|
[% IF ( show ) %]
|
|
|
|
[% IF ( too_many_items ) %]
|
|
<p>Too many items ([% too_many_items %]): You are not allowed to edit more than [% Koha.Preference('MaxItemsToProcessForBatchMod') %] items in a batch.</p>
|
|
[% FOREACH itemnumber IN itemnumbers_array %]
|
|
<input type="hidden" name="itemnumber" value="[% itemnumber %]" />
|
|
[% END %]
|
|
[% END %]<!-- /too_many_items -->
|
|
|
|
[% IF ( item_loop ) %]
|
|
<div id="cataloguing_additem_newitem">
|
|
<h2>Edit Items</h2>
|
|
<div class="hint">Checking the box right next the subfield label will disable the entry and delete the subfield on all selected items. Leave fields blank to make no change.</div>
|
|
<fieldset class="rows">
|
|
<ol>
|
|
[% FOREACH ite IN item %]
|
|
<li>
|
|
<div class="subfield_line" style="[% ite.visibility %]" id="subfield[% ite.tag %][% ite.subfield %][% ite.random %]">
|
|
[% SET mv = ite.marc_value %]
|
|
[% IF ( ite.mandatory ) %]
|
|
<label class="required" for="[%- mv.id -%]">
|
|
[% ELSE %]
|
|
<label for="[%- mv.id -%]">
|
|
[% END %]
|
|
[% ite.subfield %] - [% ite.marc_lib %]
|
|
</label>
|
|
|
|
[% IF ( mv.type == 'select' ) -%]
|
|
<select name="[%- mv.name -%]" id="[%- mv.id -%]" size="1" tabindex="1" class="input_marceditor">
|
|
[%- FOREACH aval IN mv.values %]
|
|
[% IF aval == mv.default %]
|
|
<option value="[%- aval -%]" selected="selected">[%- mv.labels.$aval -%]</option>
|
|
[% ELSE %]
|
|
<option value="[%- aval -%]">[%- mv.labels.$aval -%]</option>
|
|
[% END %]
|
|
[%- END -%]
|
|
</select>
|
|
[% ELSIF ( mv.type == 'text1' ) %]
|
|
<input type="text" tabindex="1" id="[%- mv.id -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value -%]" />
|
|
<a href="#" class="buttonDot" onclick="Dopop('/cgi-bin/koha/authorities/auth_finder.pl?authtypecode=[%- mv.authtypecode -%]&index=[%- mv.id -%]','[%- mv.id -%]'); return false;" title="Tag editor">...</a>
|
|
[% ELSIF ( mv.type == 'text2' ) %]
|
|
<input type="text" id="[%- mv.id -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value -%]" />
|
|
[% IF mv.noclick %]
|
|
<a href="#" class="buttonDot disabled" title="No popup">...</a>
|
|
[% ELSE %]
|
|
<a href="#" id="buttonDot_[% mv.id %]" class="buttonDot" title="Tag editor">...</a>
|
|
[% END %]
|
|
[% mv.javascript %]
|
|
[% ELSIF ( mv.type == 'text' ) %]
|
|
<input type="text" tabindex="1" id="[%- mv.id -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value -%]" />
|
|
[% ELSIF ( mv.type == 'hidden' ) %]
|
|
<input type="hidden" tabindex="1" id="[%- mv.id -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value -%]" />
|
|
[% ELSIF ( mv.type == 'textarea' ) %]
|
|
<textarea tabindex="1" id="[%- mv.id -%]" name="field_value" class="input_marceditor" size="50" maxlength="255">[%- mv.value -%]"</textarea>
|
|
[%- END -%]
|
|
|
|
[% UNLESS ( ite.mandatory ) %]
|
|
<input type="checkbox" id="row[% ite.tag %][% ite.subfield %][% ite.random %]" title="Check to delete subfield [% ite.subfield %]" name="disable_input" value="[% ite.subfield %]" />
|
|
[% ELSE %]
|
|
<span class="required">Required</span>
|
|
[% END %]
|
|
|
|
<input type="hidden" name="tag" value="[% ite.tag %]" />
|
|
<input type="hidden" name="subfield" value="[% ite.subfield %]" />
|
|
<input type="hidden" name="mandatory" value="[% ite.mandatory %]" />
|
|
[% IF ( ite.repeatable ) %]
|
|
<a href="#" class="buttonPlus" onclick="CloneItemSubfield(this.parentNode); return false;">
|
|
<img src="[% interface %]/[% theme %]/img/clone-subfield.png" alt="Clone" title="Clone this subfield" />
|
|
</a>
|
|
[% END %]
|
|
<span class="hint" id="hint[% ite.tag %][% ite.subfield %][% ite.random %]"></span>
|
|
</div>
|
|
</li>
|
|
[% END %]
|
|
</ol>
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<div id="jobpanel">
|
|
<div id="jobstatus" class="progress_panel">Job progress: <div id="jobprogress"></div> <span id="jobprogresspercent">0</span>%</div>
|
|
<div id="jobfailed"></div>
|
|
</div>
|
|
<input type="submit" id="mainformsubmit" value="Save" />
|
|
<a href="/cgi-bin/koha/tools/batchMod.pl" class="cancel">Cancel</a>
|
|
</fieldset>
|
|
</div>
|
|
[% ELSE %]
|
|
<p><a href="/cgi-bin/koha/tools/batchMod.pl">Return to batch item modification</a></p>
|
|
[% END %]
|
|
[% ELSE %] <!-- // show -->
|
|
<fieldset class="action">
|
|
[% IF src == 'CATALOGUING' # from catalogue/detail.pl > Edit items in a batch%]
|
|
<a class="btn btn-default" href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% biblionumber %]"><i class="fa fa-check-square-o"></i> Return to the record</a>
|
|
[% ELSIF src %]
|
|
<a class="btn btn-default" href="[% src %]"><i class="fa fa-check-square-o"></i> Return to where you were</a>
|
|
[% ELSE %]
|
|
<a class="btn btn-default" href="/cgi-bin/koha/tools/batchMod.pl"><i class="fa fa-check-square-o"></i> Return to batch item modification</a>
|
|
[% END %]
|
|
</fieldset>
|
|
|
|
[% END %]
|
|
</div>
|
|
</div>
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|