Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/tools/batchMod-edit.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

300 lines
14 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE Koha %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Tools &rsaquo; Batch item modification</title>
[% INCLUDE 'doc-head-close.inc' %]
[% Asset.js("js/background-job-progressbar.js") | $raw %]
[% Asset.js("js/cataloging.js") | $raw %]
[% Asset.css("css/datatables.css") | $raw %]
[% INCLUDE 'datatables.inc' %]
[% Asset.js("lib/jquery/plugins/jquery.checkboxes.min.js") | $raw %]
[% Asset.js("js/pages/batchMod.js") | $raw %]
<script type="text/javascript">
//<![CDATA[
// Prepare array of all column headers, incrementing each index by
// two to accommodate control and title columns
var allColumns = new Array([% FOREACH item_header_loo IN item_header_loop %]'[% loop.count | html %]'[% UNLESS ( loop.last ) %],[% END %][% END %]);
for( x=0; x<allColumns.length; x++ ){
allColumns[x] = Number(allColumns[x]) + 2;
}
$(document).ready(function(){
$("input[name='disable_input']").click(function() {
var row = $(this).attr("id");
row = row.replace("row","hint");
var editor = $(this).parent().find("[name='field_value']");
if ($(this).is(":checked")) {
$(editor).prop('disabled', true);
$("#"+row).html(_("This subfield will be deleted"));
} else {
$(editor).prop('disabled', false);
$("#"+row).html("");
}
});
$("#mainformsubmit").on("click",function(){
return submitBackgroundJob(this.form);
});
});
//]]>
</script>
<!--[if IE]>
<style type="text/css">#selections { display: none; }</style>
<![endif]-->
<style type="text/css">input[type=checkbox]{ margin : 0 .5em; }</style>
[% Asset.css("css/addbiblio.css") | $raw %]
[% INCLUDE 'select2.inc' %]
<script type="text/javascript">
$(document).ready(function() {
$('.subfield_line select').select2();
});
</script>
</head>
<body id="tools_batchMod-edit" class="tools">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo;
<a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a> &rsaquo;
<a href="/cgi-bin/koha/tools/batchMod.pl">Batch item modification</a>
</div>
<div class="main container-fluid">
[% IF ( show ) %]
<h1>Batch item modification</h1>
[% ELSE %]
<h1>Batch item modification results</h1>
<div class="dialog message">
[% IF (modified_items) %]
[% modified_items | html %] item(s) modified (with [% modified_fields | html %] field(s) modified).
[% ELSE %]
No items modified.
[% END %]
<fieldset class="action">
[% IF src == 'CATALOGUING' # from catalogue/detail.pl > Edit items in a batch%]
<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% biblionumber | html %]">Return to the record</a>
[% ELSIF src %]
<a href="[% src | html %]">Return to where you were</a>
[% ELSE %]
<a href="/cgi-bin/koha/tools/batchMod.pl">Return to batch item modification</a>
[% END %]
</fieldset>
</div>
[% END %]
[% IF ( barcode_not_unique ) %]<div class="dialog alert"><strong>Error saving item</strong>: Barcode must be unique.</div>[% END %]
[% IF ( no_next_barcode ) %]<div class="dialog alert"><strong>Error saving items</strong>: Unable to automatically determine values for barcodes. No item has been inserted.</div>[% END %]
[% IF ( book_on_loan ) %]<div class="dialog alert"><strong>Cannot Delete</strong>: item is checked out.</div>[% END %]
[% IF ( book_reserved ) %]<div class="dialogalert"><strong>Cannot Delete</strong>: item has a waiting hold.</div>[% END %]
[% IF ( notfoundbarcodes.size ) %]
<div class="dialog alert"><p>Warning, the following barcodes were not found:</p></div>
<table style="margin:auto;">
<thead>
<tr><th>Barcodes not found</th></tr>
</thead>
<tbody>
[% FOREACH notfoundbarcode IN notfoundbarcodes %]
<tr><td>[% notfoundbarcode |html %]</td></td>
[% END %]
</tbody>
</table>
[% IF ( item_loop ) %]
[% UNLESS ( too_many_items ) %]
<h4>The following barcodes were found: </h4>
[% END %]
[% END %]
[% END %] <!-- /notfoundbarcodes -->
[% IF ( notfounditemnumbers.size ) %]
<div class="dialog alert"><p>Warning, the following itemnumbers were not found:</p></div>
<table style="margin:auto;">
<thead>
<tr><th>Itemnumbers not found</th></tr>
</thead>
<tbody>
[% FOREACH notfounditemnumber IN notfounditemnumbers %]
<tr><td>[% notfounditemnumber |html %]</td></td>
[% END %]
</tbody>
</table>
[% IF ( item_loop ) %]
[% UNLESS ( too_many_items ) %]
<h4>The following itemnumbers were found: </h4>
[% END %]
[% END %]
[% END %] <!-- /notfounditemnumbers -->
<form name="f" action="batchMod.pl" method="post">
<input type="hidden" name="op" value="[% op | html %]" />
<input type="hidden" name="uploadedfileid" id="uploadedfileid" value="" />
<input type="hidden" name="runinbackground" id="runinbackground" value="" />
<input type="hidden" name="completedJobID" id="completedJobID" value="" />
<input type="hidden" name="src" id="src" value="[% src | html %]" />
[% IF biblionumber %]
<input type="hidden" name="biblionumber" id="biblionumber" value="[% biblionumber | html %]" />
[% END %]
[% IF ( item_loop ) %]
[% IF show %]
<div id="toolbar">
<a id="selectallbutton" href="#"><i class="fa fa-check"></i> Select all</a> | <a id="clearallbutton" href="#"><i class="fa fa-remove"></i> Clear all</a> | <a id="clearonloanbutton" href="#">Clear on loan</a>
</div>
[% END %]
<div id="cataloguing_additem_itemlist">
<p id="selections"><strong>Show/hide columns:</strong> <span class="selected"><input type="checkbox" checked="checked" id="showall"/><label for="showall">Show all columns</label></span> <span><input type="checkbox" id="hideall"/><label for="hideall">Hide all columns</label></span>
[% FOREACH item_header_loo IN item_header_loop %]
<span class="selected"><input id="checkheader[% loop.count | html %]" type="checkbox" checked="checked" /> <label for="checkheader[% loop.count | html %]">[% item_header_loo.header_value | html %]</label> </span>
[% END %]
</p>
<table id="itemst">
<thead>
<tr>
<th>&nbsp;</th>
<th class="anti-the">Title</th>
[% FOREACH item_header_loo IN item_header_loop %]
<th> [% item_header_loo.header_value | html %] </th>
[% END %]
</tr>
</thead>
<tbody>
[% FOREACH item_loo IN item_loop %]
<tr>
[% IF show %]
[% IF item_loo.nomod %]
<td class="error">Cannot edit</td>
[% ELSE %]
<td><input type="checkbox" name="itemnumber" value="[% item_loo.itemnumber | html %]" id="row[% item_loo.itemnumber | html %]" checked="checked" data-is-onloan="[% item_loo.onloan | html %]" /></td>
[% END %]
[% ELSE %]
<td>&nbsp;</td>
[% END %]
<td><label for="row[% item_loo.itemnumber | html %]"><a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% item_loo.biblionumber | html %]">[% item_loo.title | html %]</a>[% IF ( item_loo.author ) %], by [% item_loo.author | html %][% END %]</label></td>
[% FOREACH item_valu IN item_loo.item_value %] <td>[% item_valu.field | html %]</td>
[% END %] </tr>
[% END %]
</tbody>
</table>
</div>
[% END %]<!-- /item_loop -->
[% IF ( simple_items_display ) %]
<p>The following items were modified:</p>
<ul>
[% FOREACH simple_items_displa IN simple_items_display %]
<li>
[% IF ( CAN_user_editcatalogue_edit_items ) %]<a href="/cgi-bin/koha/cataloguing/additem.pl?op=edititem&amp;biblionumber=[% simple_items_displa.biblionumber | html %]&amp;itemnumber=[% simple_items_displa.itemnumber | html %]">[% simple_items_displa.barcode | html %]</a>[% ELSE %][% simple_items_displa.barcode | html %][% END %]
</li>
[% END %]
</ul>
[% END %]<!-- /simple_items_display -->
[% IF ( show ) %]
[% IF ( too_many_items ) %]
<p>Too many items ([% too_many_items | html %]): You are not allowed to edit more than [% Koha.Preference('MaxItemsToProcessForBatchMod') | html %] items in a batch.</p>
[% FOREACH itemnumber IN itemnumbers_array %]
<input type="hidden" name="itemnumber" value="[% itemnumber | html %]" />
[% END %]
[% END %]<!-- /too_many_items -->
[% IF ( item_loop ) %]
<div id="cataloguing_additem_newitem">
<h2>Edit Items</h2>
<div class="hint">Checking the box right next the subfield label will disable the entry and delete the subfield on all selected items. Leave fields blank to make no change.</div>
<fieldset class="rows">
<ol>
[% FOREACH ite IN item %]
<li>
<div class="subfield_line" style="[% ite.visibility | html %]" id="subfield[% ite.tag | html %][% ite.subfield | html %][% ite.random | html %]">
[% SET mv = ite.marc_value %]
[% IF ( ite.mandatory ) %]
<label class="required" for="[%- mv.id | html -%]">
[% ELSE %]
<label for="[%- mv.id | html -%]">
[% END %]
[% ite.subfield | html %] - [% ite.marc_lib | $raw %]
</label>
[% IF ( mv.type == 'select' ) -%]
<select name="[%- mv.name | html -%]" id="[%- mv.id | html -%]" size="1" tabindex="1" class="input_marceditor">
[%- FOREACH aval IN mv.values %]
[% ite.subfield | html %] -
[% IF aval == mv.default %]
<option value="[%- aval | html -%]" selected="selected">[%- mv.labels.$aval | html -%]</option>
[% ELSE %]
<option value="[%- aval | html -%]">[%- mv.labels.$aval | html -%]</option>
[% END %]
[%- END -%]
</select>
[% ELSIF ( mv.type == 'text1' ) %]
<input type="text" tabindex="1" id="[%- mv.id | html -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value | html -%]" />
<a href="#" class="buttonDot" onclick="Dopop('/cgi-bin/koha/authorities/auth_finder.pl?authtypecode=[%- mv.authtypecode | html -%]&index=[%- mv.id | html -%]','[%- mv.id | html -%]'); return false;" title="Tag editor">...</a>
[% ELSIF ( mv.type == 'text2' ) %]
<input type="text" id="[%- mv.id | html -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value | html -%]" />
[% IF mv.noclick %]
<a href="#" class="buttonDot disabled" title="No popup">...</a>
[% ELSE %]
<a href="#" id="buttonDot_[% mv.id | html %]" class="buttonDot" title="Tag editor">...</a>
[% END %]
[% mv.javascript | $raw %]
[% ELSIF ( mv.type == 'text' ) %]
<input type="text" tabindex="1" id="[%- mv.id | html -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value | html -%]" />
[% ELSIF ( mv.type == 'hidden' ) %]
<input type="hidden" tabindex="1" id="[%- mv.id | html -%]" name="field_value" class="input_marceditor" size="50" maxlength="255" value="[%- mv.value | html -%]" />
[% ELSIF ( mv.type == 'textarea' ) %]
<textarea tabindex="1" id="[%- mv.id | html -%]" name="field_value" class="input_marceditor" size="50" maxlength="255">[%- mv.value | html -%]"</textarea>
[%- END -%]
[% UNLESS ( ite.mandatory ) %]
<input type="checkbox" id="row[% ite.tag | html %][% ite.subfield | html %][% ite.random | html %]" title="Check to delete subfield [% ite.subfield | html %]" name="disable_input" value="[% ite.subfield | html %]" />
[% ELSE %]
<span class="required">Required</span>
[% END %]
<input type="hidden" name="tag" value="[% ite.tag | html %]" />
<input type="hidden" name="subfield" value="[% ite.subfield | html %]" />
<input type="hidden" name="mandatory" value="[% ite.mandatory | html %]" />
[% IF ( ite.repeatable ) %]
<a href="#" class="buttonPlus" onclick="CloneItemSubfield(this.parentNode); return false;">
<img src="[% interface | html %]/[% theme | html %]/img/clone-subfield.png" alt="Clone" title="Clone this subfield" />
</a>
[% END %]
<span class="hint" id="hint[% ite.tag | html %][% ite.subfield | html %][% ite.random | html %]"></span>
</div>
</li>
[% END %]
</ol>
</fieldset>
<fieldset class="action">
<div id="jobpanel">
<div id="jobstatus" class="progress_panel">Job progress: <div id="jobprogress"></div> <span id="jobprogresspercent">0</span>%</div>
<div id="jobfailed"></div>
</div>
<input type="submit" id="mainformsubmit" value="Save" />
<a href="/cgi-bin/koha/tools/batchMod.pl" class="cancel">Cancel</a>
</fieldset>
</div>
[% ELSE %]
<p><a href="/cgi-bin/koha/tools/batchMod.pl">Return to batch item modification</a></p>
[% END %]
[% ELSE %] <!-- // show -->
<fieldset class="action">
[% IF src == 'CATALOGUING' # from catalogue/detail.pl > Edit items in a batch%]
<a class="btn btn-default" href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% biblionumber | html %]"><i class="fa fa-check-square-o"></i> Return to the record</a>
[% ELSIF src %]
<a class="btn btn-default" href="[% src | html %]"><i class="fa fa-check-square-o"></i> Return to where you were</a>
[% ELSE %]
<a class="btn btn-default" href="/cgi-bin/koha/tools/batchMod.pl"><i class="fa fa-check-square-o"></i> Return to batch item modification</a>
[% END %]
</fieldset>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink