Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/tools/cleanborrowers.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

259 lines
11 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE Koha %]
[% USE KohaDates %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Tools &rsaquo; Batch patron deletion/anonymization [% IF step == 2 %]&rsaquo; Confirm[% END %][% IF step == 3 %]&rsaquo; Finished[% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
</head>
<body id="tools_cleanborrowers" class="tools">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo;
<a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a> &rsaquo;
[% IF step == 1 %]
Batch patron deletion/anonymization
[% ELSE %]
<a href="/cgi-bin/koha/tools/cleanborrowers.pl">Batch patron deletion/anonymization</a> &rsaquo;
[% END %]
[% IF step == 2 %] Confirm [% END %]
[% IF step == 3 %] Finished [% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF !OnlyMine %]
<form method="get" action="/cgi-bin/koha/tools/cleanborrowers.pl" id="selectlibrary">
Select a library :
<select name="branch" id="branch" style="width:20em;">
<option value="*">All libraries</option>
[% FOREACH branch IN Branches.all( selected => current_branch ) %]
[% IF branch.selected %]
<option value="[% branch.branchcode | html %]" selected="selected">[% branch.branchname | html %]</option>
[% ELSE %]
<option value="[% branch.branchcode | html %]">[% branch.branchname | html %]</option>
[% END %]
[% END %]
</select>
</form>
[% IF current_branch == '*' %]
<h1>Batch patron deletion/anonymization</h1>
[% ELSE %]
<h1>Batch patron deletion/anonymization for [% Branches.GetName( current_branch ) | html %]</h1>
[% END %]
[% ELSE %]
<h1>Batch patron deletion/anonymization for [% Branches.GetName( Branches.GetLoggedInBranchcode ) | html %]</h1>
[% END %]
[% IF step == 1 %]
<!-- step 1 START -->
<div class="help">
<p>This tool allows you to delete patrons and anonymize checkout history. For deleting patrons, any combination of limits can be used.</p>
</div>
<div id="step1">
<form name="f1" id="delete_patrons_form" action="/cgi-bin/koha/tools/cleanborrowers.pl" method="post">
<fieldset>
<legend>Delete patrons</legend>
<h3><input id="checkborrower" type="checkbox" name="checkbox" value="borrower" /><label for="checkborrower"> Verify you want to delete patrons</label></h3>
<br />
<h5>Delete patrons who meet the following criteria:</h5>
<ul>
<li>
<label for="date1">who have not borrowed since:</label>
<input size="10" id="date1" name="not_borrowed_since" type="text" class="datepicker" />
<span class="hint">[% INCLUDE 'date-format.inc' %]</span>
</li>
<li>
<label for="borrower_dateexpiry">whose expiration date is before:</label>
<input size="10" id="borrower_dateexpiry" name="borrower_dateexpiry" type="text" class="datepicker" />
<span class="hint">[% INCLUDE 'date-format.inc' %]</span>
</li>
[% IF Koha.Preference('TrackLastPatronActivity') %]
<li>
<label for="borrower_lastseen">who have not been connected since:</label>
<input size="10" id="borrower_lastseen" name="borrower_lastseen" type="text" class="datepicker" />
<span class="hint">[% INCLUDE 'date-format.inc' %]</span>
</li>
[% END %]
<li>
<label for="borrower_categorycode">whose patron category is:</label>
<select id="borrower_categorycode" name="borrower_categorycode">
<option value="" selected="selected">Any</option>
[% FOREACH bc IN borrower_categorycodes %]
[% UNLESS bc.category_type == 'S' %]
<option value="[% bc.categorycode | html %]">[% bc.description | html %]</option>
[% END %]
[% END %]
</select>
</li>
[% IF patron_lists %]
<li>
<label for="patron_list_id">who are in patron list: </label>
<select id="patron_list_id" name="patron_list_id">
<option value=""></option>
[% FOREACH pl IN patron_lists %]
<option value="[% pl.patron_list_id | html %]">[% pl.name | html %]</option>
[% END %]
</select>
</li>
[% END %]
</ul>
</fieldset>
<fieldset>
<legend>Anonymize checkout history</legend>
[% UNLESS Koha.Preference('AnonymousPatron') %]
<div class="dialog message">The AnonymousPatron system preference is not defined. You can use this feature anyway but NULL will be used to update the checkout history.</div>
[% END %]
<h3><input id="checkissue" type="checkbox" name="checkbox" value="issue" /><label for="checkissue"> Verify you want to anonymize patron checkout history</label></h3>
<br />
<ul>
<li>
<label for="date2">Permanently delete checkout history older than</label>
<input size="10" id="date2" name="last_issue_date" type="text" class="datepicker" />
<span class="hint">[% INCLUDE 'date-format.inc' %]</span>
</li>
</ul>
<!-- hidden here -->
<input type="hidden" name="step" value="2" />
<input type="hidden" name="branch" value="[% current_branch | html %]" />
</fieldset>
<fieldset class="action"><input type="submit" value="Next &gt;&gt;" /></fieldset>
</form>
</div>
<!-- step 1 END -->
[% END %]
[% IF step == 2 %]
<!-- STEP 2 START -->
<div id="step2">
<form name="f2" action="/cgi-bin/koha/tools/cleanborrowers.pl" method="post">
<fieldset>
<legend>Warnings</legend>
<ul>
<li>[% patrons_to_delete.size || 0 | html %] patrons will be deleted</li>
<li>[% patrons_to_anonymize.count || 0 | html %] patron's checkout histories will be anonymized</li>
</ul>
<br />
[% IF patrons_to_delete.size %]
<fieldset><legend>What do you want to do for deleted patrons?</legend>
<input id="delete" type="radio" name="radio" value="delete" />
<label for="delete">Permanently delete these patrons</label>
<br /><input id="trash" type="radio" name="radio" value="trash" />
<label for="trash">Move these patrons to the trash</label>
<br /><input id="testrun" type="radio" name="radio" value="testrun" checked="checked" />
<label for="testrun">Do not remove any patrons (test run)</label>
<input type="hidden" name="do_delete" value="[% patrons_to_delete.size | html %]" /></fieldset>
[% END %]
[% IF patrons_to_anonymize.count %]
Checkout history for [% patrons_to_anonymize.count | html %] patrons will be anonymized
<input type="hidden" name="do_anonym" value="[% patrons_to_anonymize.count | html %]" />
[% END %]
<input type="hidden" name="step" value="3" />
<input type="hidden" name="not_borrowed_since" value="[% not_borrowed_since | $KohaDates %]" />
<input type="hidden" name="last_issue_date" value="[% last_issue_date | $KohaDates %]" />
<input type="hidden" name="borrower_dateexpiry" value="[% borrower_dateexpiry | $KohaDates %]" />
[% IF Koha.Preference('TrackLastPatronActivity') %]
<input type="hidden" name="borrower_lastseen" value="[% borrower_lastseen | $KohaDates %]" />
[% END %]
<input type="hidden" name="borrower_categorycode" value="[% borrower_categorycode | html %]" />
<input type="hidden" name="patron_list_id" value="[% patron_list_id | html %]" />
<input type="hidden" name="branch" value="[% current_branch | html %]" />
</fieldset>
<fieldset class="action"><input type="submit" value="Finish" /> <a class="cancel" href="/cgi-bin/koha/tools/cleanborrowers.pl">Cancel</a></fieldset>
</form>
</div>
<!-- STEP 2 END -->
[% END %]
[% IF step == 3 %]
<!-- Step 3 START -->
<div id="step3">
[% IF ( testrun ) %]
<h4>[% TotalDel | html %] patrons would have been removed (if it wasn't a test run)</h4>
<h4>No patron records have been actually removed</h4>
[% ELSE %]
[% IF ( do_delete ) %]
[% IF ( trash ) %]
<h4>[% TotalDel | html %] patrons have been successfully moved to trash</h4>
[% ELSE %]
<h4>[% TotalDel | html %] patrons have been successfully deleted</h4>
[% END %]
[% ELSE %]
<h4>No patron records have been removed</h4>
[% END %]
[% END %]
[% IF do_anonym %]
<h4>All checkouts ([% do_anonym | html %]) older than [% last_issue_date | $KohaDates %] have been anonymized</h4>
[% ELSE %]
<h4>No patron records have been anonymized</h4>
[% END %]
</div>
<!-- Step 3 END -->
[% END %]
</div>
</div>
<div class="yui-b noprint">
[% INCLUDE 'tools-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% Asset.js("js/tools-menu.js") | $raw %]
[% INCLUDE 'calendar.inc' %]
<script type="text/javascript">
$(document).ready(function(){
$("#delete_patrons_form").on("submit",function(){
return checkForm( this );
});
$('#branch').change(function() {
$('#selectlibrary').submit();
});
});
/**
* checkForm(form)
* This function check the form is correctly filled.
*/
function checkForm(form) {
if((form.checkbox[0].checked)){
if ( (!form.date1.value) && (!form.borrower_dateexpiry.value) [% IF Koha.Preference('TrackLastPatronActivity') %]&& (!form.borrower_lastseen.value) [% END %]&& (!form.borrower_categorycode.value) && (!form.patron_list_id.value)){
alert(_("Please enter at least one criterion for deletion!"));
return false;
}
}
if((form.checkbox[1].checked)){
if(!(form.date2.value)){
alert(_("Please enter a date!"));
return false;
}
}
if(!form.checkbox[0].checked && !form.checkbox[1].checked) {
alert( _("Please check at least one action") );
return false;
}
return true;
}
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink