dcd1f5d48c
Here we go, next step then. As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain <script> tags - Remove them from borrower_debarments.comments (there are allowed here) update borrower_debarments set comment="html tags possible here"; - From the interface hit page and try to catch alert box. If you find one it means you find a possible XSS. To know where it comes from: * note the exact URL where you found it * note the alert box content * Dump your DB and search for the string in the dump to identify its location (for instance table.field) Next: * Ideally we would like to use the raw filter when it is not necessary to HTML escape the variables (in big loop for instance) * Provide a QA script to catch missing filters (we want html, uri, url or raw, certainly others that I am forgetting now) * Replace the html filters with uri when needed (!) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
427 lines
14 KiB
Text
427 lines
14 KiB
Text
[% USE raw %]
|
|
[% USE Asset %]
|
|
[% USE Koha %]
|
|
[% SET footerjs = 1 %]
|
|
[% INCLUDE 'doc-head-open.inc' %]
|
|
[% IF plugin %]
|
|
<title>Upload plugin</title>
|
|
[% ELSE %]
|
|
<title>Koha › Tools › Upload</title>
|
|
[% END %]
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
[% Asset.css("css/datatables.css") | $raw %]
|
|
|
|
[% BLOCK plugin_pars %]
|
|
[% IF plugin %]
|
|
<input type="hidden" name="plugin" value="1" />
|
|
<input type="hidden" name="index" value="[% index | html %]" />
|
|
[% END %]
|
|
[% END %]
|
|
|
|
[% BLOCK breadcrumbs %]
|
|
<div id="breadcrumbs">
|
|
<a href="/cgi-bin/koha/mainpage.pl">Home</a>
|
|
›
|
|
<a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a>
|
|
›
|
|
<a href="/cgi-bin/koha/tools/upload.pl">Upload</a>
|
|
›
|
|
<span id="lastbreadcrumb">
|
|
[% IF mode=='new' || mode =='deleted'%]
|
|
Add new upload or search
|
|
[% ELSE %]
|
|
Results
|
|
[% END %]
|
|
</span>
|
|
</div>
|
|
[% END %]
|
|
|
|
[% BLOCK form_new %]
|
|
<form method="post" action="/cgi-bin/koha/tools/upload.pl" id="uploadfile" enctype="multipart/form-data">
|
|
[% PROCESS plugin_pars %]
|
|
<fieldset class="rows" id="uploadform">
|
|
<legend>Upload new files</legend>
|
|
<ol>
|
|
<li>
|
|
<div id="fileuploadform">
|
|
<label for="fileToUpload">Select files: </label>
|
|
<input type="file" id="fileToUpload" name="fileToUpload" multiple/>
|
|
</div>
|
|
</li>
|
|
[% IF uploadcategories %]
|
|
<li>
|
|
<label for="uploadcategory">Category: </label>
|
|
<select id="uploadcategory" name="uploadcategory">
|
|
[% IF !plugin %]
|
|
<option value=""></option>
|
|
[% END %]
|
|
[% FOREACH cat IN uploadcategories %]
|
|
<option value="[% cat.code | html %]">[% cat.name | html %]</option>
|
|
[% END %]
|
|
</select>
|
|
</li>
|
|
[% END %]
|
|
[% IF !plugin %]
|
|
<li>
|
|
[% IF uploadcategories %]
|
|
<div class="hint">Note: For temporary uploads do not select a category.</div>
|
|
[% ELSE %]
|
|
<div class="hint">Note: No upload categories are defined. Add values to the UPLOAD authorized value category otherwise all uploads will be marked as temporary.</div>
|
|
[% END %]
|
|
</li>
|
|
[% END %]
|
|
<li>
|
|
[% IF plugin %]
|
|
<input type="hidden" id="public" name="public" value="1"/>
|
|
[% ELSE %]
|
|
<label id="public_cb">Allow public downloads:</label>
|
|
<input type="checkbox" id="public" name="public" />
|
|
[% END %]
|
|
</li>
|
|
</ol>
|
|
<fieldset class="action">
|
|
<button id="fileuploadbutton">Upload</button>
|
|
<button id="fileuploadcancel">Cancel</button>
|
|
</fieldset>
|
|
</fieldset>
|
|
<div id="fileuploadpanel">
|
|
<div id="fileuploadstatus" class="progress_panel">Upload progress:
|
|
<progress id="fileuploadprogress" max="100" value="0">
|
|
</progress>
|
|
<span class="fileuploadpercent">0</span>%
|
|
</div>
|
|
<div id="fileuploadfailed"></div>
|
|
</div>
|
|
</form>
|
|
[% END %]
|
|
|
|
[% BLOCK form_search %]
|
|
<form method="post" id="searchfile" action="/cgi-bin/koha/tools/upload.pl" enctype="multipart/form-data">
|
|
[% PROCESS plugin_pars %]
|
|
<input type="hidden" name="op" value="search"/>
|
|
<fieldset class="rows">
|
|
<legend>Search uploads by name or hashvalue</legend>
|
|
<ol>
|
|
<li>
|
|
<label for="term">Search term: </label>
|
|
<input type="text" id="term" name="term" value=""/>
|
|
</li>
|
|
</ol>
|
|
<fieldset class="action">
|
|
<button id="searchbutton" class="submit">Search</button>
|
|
</fieldset>
|
|
</fieldset>
|
|
</form>
|
|
[% END %]
|
|
|
|
[% BLOCK submitter %]
|
|
<form id="submitter" style="display:none;" method="post">
|
|
[% PROCESS plugin_pars %]
|
|
<input type="hidden" name="op" id="op" value=""/>
|
|
<input type="hidden" name="id" id="id" value="" />
|
|
<input type="hidden" name="msg" id="msg" value="" />
|
|
</form>
|
|
[% END %]
|
|
|
|
[% BLOCK closer %]
|
|
[% IF plugin %]
|
|
<div id="closewindow"><a class="btn btn-default btn-default close" href="#">Close</a></div>
|
|
[% END %]
|
|
[% END %]
|
|
|
|
[% BLOCK back %]
|
|
[% IF !plugin %]
|
|
<form id="back">
|
|
<fieldset class="action">
|
|
<button class="submit">Back</button>
|
|
</fieldset>
|
|
</form>
|
|
[% END %]
|
|
[% END %]
|
|
|
|
[% BLOCK newsearch %]
|
|
<form id="newsearch">
|
|
<fieldset class="action">
|
|
<button id="new_search">New search</button>
|
|
</fieldset>
|
|
</form>
|
|
[% IF plugin %]
|
|
<div id="closewindow"><a class="btn btn-default btn-default close" href="#">Close</a></div>
|
|
[% END %]
|
|
[% END %]
|
|
|
|
[% BLOCK table_results %]
|
|
<table id="uploadresults">
|
|
<thead>
|
|
<tr>
|
|
<th>Filename</th>
|
|
<th>Size</th>
|
|
<th>Hashvalue</th>
|
|
<th>Category</th>
|
|
[% IF !plugin %]<th>Public</th>[% END %]
|
|
[% IF !plugin %]<th>Temporary</th>[% END %]
|
|
<th class="nosort">Actions</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
[% FOREACH record IN uploads %]
|
|
<tr>
|
|
<td>[% record.filename | html %]</td>
|
|
<td>[% record.filesize | html %]</td>
|
|
<td>[% record.hashvalue | html %]</td>
|
|
<td>[% record.uploadcategorycode | html %]</td>
|
|
[% IF !plugin %]
|
|
<td>[% IF record.public %]Yes[% ELSE %]No[% END %]</td>
|
|
<td>[% IF record.permanent %]No[% ELSE %]Yes[% END %]</td>
|
|
[% END %]
|
|
<td class="actions">
|
|
[% IF plugin %]
|
|
<button class="btn btn-default btn-xs choose_entry" data-record-hashvalue="[% record.hashvalue | html %]"><i class="fa fa-plus"></i> Choose</button>
|
|
[% END %]
|
|
<button class="btn btn-default btn-xs download_entry" data-record-id="[% record.id | html %]"><i class="fa fa-download"></i> Download</button>
|
|
[% IF record.owner == owner || CAN_user_tools_upload_manage %]
|
|
<button class="btn btn-default btn-xs delete_entry" data-record-id="[% record.id | html %]"><i class="fa fa-trash"></i> Delete</button>
|
|
[% END %]
|
|
</td>
|
|
</tr>
|
|
[% END %]
|
|
</tbody>
|
|
</table>
|
|
[% END %]
|
|
|
|
<style type="text/css">
|
|
#fileuploadstatus,#fileuploadfailed { display : none; }
|
|
#fileuploadstatus { margin:.4em; }
|
|
#fileuploadprogress { width:150px;height:10px;border:1px solid #666;background:url('[% interface | html %]/[% theme | html %]/img/progress.png') -300px 0px no-repeat; }
|
|
</style>
|
|
|
|
|
|
</head>
|
|
|
|
[% IF ( plugin ) %]
|
|
<body id="tools_upload" class="tools">
|
|
<div class="yui-t7">
|
|
<div id="bd">
|
|
<div class="yui-g">
|
|
[% ELSE %]
|
|
<body id="tools_upload" class="tools">
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'cat-search.inc' %]
|
|
[% PROCESS breadcrumbs %]
|
|
<div id="doc3" class="yui-t2">
|
|
<div id="bd">
|
|
<div id="yui-main">
|
|
<div class="yui-b">
|
|
[% END %]
|
|
|
|
|
|
|
|
<h1>Upload</h1>
|
|
<div class="dialog alert" id="myalerts" style="display:none;"></div>
|
|
|
|
[% PROCESS submitter %]
|
|
[% IF mode == 'new' || mode == 'deleted' %]
|
|
[% PROCESS form_new %]
|
|
[% PROCESS form_search %]
|
|
[% PROCESS closer %]
|
|
[% ELSIF mode == 'report' %]
|
|
[% IF uploads %]
|
|
<h3>Your request gave the following results:</h3>
|
|
[% PROCESS table_results %]
|
|
[% PROCESS closer %]
|
|
[% PROCESS back %]
|
|
[% ELSE %]
|
|
<h4>Sorry, your request had no results.</h4>
|
|
[% PROCESS newsearch %]
|
|
[% END %]
|
|
[% END %]
|
|
|
|
</div>
|
|
|
|
[% IF !plugin %]
|
|
</div>
|
|
<div class="yui-b noprint">
|
|
[% INCLUDE 'tools-menu.inc' %]
|
|
</div>
|
|
[% END %]
|
|
|
|
</div>
|
|
|
|
[% MACRO jsinclude BLOCK %]
|
|
[% Asset.js("js/tools-menu.js") | $raw %]
|
|
[% INCLUDE 'datatables.inc' %]
|
|
[% Asset.js("js/file-upload.js") | $raw %]
|
|
<script type="text/javascript">
|
|
function StartUpload() {
|
|
if( $('#fileToUpload').prop('files').length == 0 ) return;
|
|
$('#fileToUpload').prop('disabled',true);
|
|
$('#fileuploadbutton').hide();
|
|
$("#fileuploadcancel").show();
|
|
$("#fileuploadfailed").html('');
|
|
$("#myalerts").hide('');
|
|
$("#myalerts").html('');
|
|
$("#fileuploadstatus").show();
|
|
$("#uploadedfileid").val('');
|
|
$("#searchfile").hide();
|
|
$("#lastbreadcrumb").text( _("Add a new upload") );
|
|
|
|
var cat, xtra='';
|
|
if( $("#uploadcategory").val() )
|
|
cat = encodeURIComponent( $("#uploadcategory").val() );
|
|
if( cat ) xtra= 'category=' + cat + '&';
|
|
[% IF plugin %]
|
|
xtra = xtra + 'public=1&temp=0';
|
|
[% ELSE %]
|
|
if( !cat ) xtra = 'temp=1&';
|
|
if( $('#public').prop('checked') ) xtra = xtra + 'public=1';
|
|
[% END %]
|
|
xhr= AjaxUpload( $('#fileToUpload'), $('#fileuploadprogress'), xtra, cbUpload );
|
|
}
|
|
function CancelUpload() {
|
|
if( xhr ) xhr.abort();
|
|
$("#fileuploadstatus").hide();
|
|
$('#fileToUpload').prop('disabled', false);
|
|
$('#fileuploadbutton').show();
|
|
$("#fileuploadcancel").hide();
|
|
$("#fileuploadfailed").show();
|
|
$("#fileuploadfailed").text( _("Upload status: Cancelled ") );
|
|
}
|
|
function cbUpload( status, fileid, err ) {
|
|
$('#fileToUpload').prop('disabled', false);
|
|
if( status=='done' ) {
|
|
var e = err? JSON.stringify(err): '';
|
|
SubmitMe( 'search', fileid, e );
|
|
} else {
|
|
$('#fileuploadbutton').show();
|
|
$("#fileuploadcancel").hide();
|
|
$("#fileuploadstatus").hide();
|
|
$("#fileuploadfailed").show();
|
|
$("#fileuploadfailed").html( _("Upload status: ") +
|
|
( status=='failed'? _("Failed"):
|
|
( status=='denied'? _("Denied"): status ))
|
|
);
|
|
ShowAlerts( err );
|
|
}
|
|
}
|
|
function ShowAlerts(err) {
|
|
var str = '';
|
|
for( var file in err ) {
|
|
str= str + '<p>' + file + ': ' +
|
|
errMESSAGES( err[file].code ) + '</p>';
|
|
}
|
|
if( str ) {
|
|
$('#myalerts').html(str);
|
|
$('#myalerts').show();
|
|
}
|
|
}
|
|
function errMESSAGES(code) {
|
|
var rv;
|
|
switch(code) {
|
|
case 'UPLERR_ALREADY_EXISTS':
|
|
rv = _("This file already exists (in this category).");
|
|
break;
|
|
case 'UPLERR_CANNOT_WRITE':
|
|
rv = _("File could not be created. Check permissions.");
|
|
break;
|
|
case 'UPLERR_NO_ROOT_DIR':
|
|
rv = _("Your koha-conf.xml does not contain a valid upload_path.");
|
|
break;
|
|
case 'UPLERR_NO_TEMP_DIR':
|
|
rv = _("No temporary directory found.");
|
|
break;
|
|
case 'UPLERR_FILE_NOT_READ':
|
|
rv = _("File could not be read.");
|
|
break;
|
|
case 'UPL_FILE_DELETED': // An alert, no error
|
|
rv = _("File has been deleted.");
|
|
break;
|
|
case 'UPLERR_FILE_NOT_DELETED':
|
|
rv = _("File or upload record could not be deleted.");
|
|
break;
|
|
default:
|
|
rv = code;
|
|
}
|
|
return rv;
|
|
}
|
|
function CheckSearch() {
|
|
if( $("#term").val()=="" ) {
|
|
alert( _("Please enter a search term.") );
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
function SubmitMe(op, id, msg ) {
|
|
$("#submitter #op").val( op );
|
|
$("#submitter #id").val( id );
|
|
$("#submitter #msg").val( msg );
|
|
$("#submitter").submit();
|
|
}
|
|
function DeleteEntry(id) {
|
|
if( !confirm( _("Do you really want to delete this upload?") ))
|
|
return false;
|
|
ClearField();
|
|
SubmitMe( 'delete', id );
|
|
}
|
|
function ClearField() {
|
|
[% IF plugin %]
|
|
$(window.opener.document).find('#[% index | html %]').val( '' );
|
|
[% END %]
|
|
}
|
|
function Choose(hashval) {
|
|
var res = '[% Koha.Preference('OPACBaseURL') | html %]';
|
|
res = res.replace( /\/$/, '');
|
|
res = res + '/cgi-bin/koha/opac-retrieve-file.pl?id=' + hashval;
|
|
[% IF index %]
|
|
$(window.opener.document).find('#[% index | html %]').val( res );
|
|
[% END %]
|
|
window.close();
|
|
}
|
|
$(document).ready(function() {
|
|
$("#uploadresults").dataTable($.extend(true, {}, dataTablesDefaults, {
|
|
"aoColumnDefs": [
|
|
{ 'bSortable': false, 'aTargets': [ 'nosort' ] }
|
|
],
|
|
"sPaginationType": "four_button"
|
|
}));
|
|
[% IF msg %]
|
|
ShowAlerts( [% msg | html %] );
|
|
[% END %]
|
|
$("#fileuploadcancel").hide();
|
|
$("#public_cb").click(function() {
|
|
$("#public").click();
|
|
});
|
|
$("#fileuploadbutton").on("click",function(e){
|
|
e.preventDefault();
|
|
StartUpload();
|
|
});
|
|
$("#fileuploadcancel").on("click",function(e){
|
|
e.preventDefault();
|
|
CancelUpload();
|
|
});
|
|
$("#searchbutton").on("click",function(){
|
|
return CheckSearch();
|
|
});
|
|
$(".choose_entry").on("click",function(e){
|
|
e.preventDefault();
|
|
var record_hashvalue = $(this).data("record-hashvalue");
|
|
Choose( record_hashvalue );
|
|
});
|
|
$(".download_entry").on("click",function(e){
|
|
e.preventDefault();
|
|
var record_id = $(this).data("record-id");
|
|
SubmitMe( 'download', record_id );
|
|
});
|
|
$(".delete_entry").on("click",function(e){
|
|
e.preventDefault();
|
|
var record_id = $(this).data("record-id");
|
|
DeleteEntry( record_id );
|
|
});
|
|
$("#new_search").on("click",function(e){
|
|
e.preventDefault();
|
|
SubmitMe('new');
|
|
});
|
|
});
|
|
</script>
|
|
[% END %]
|
|
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|