Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
Amit Gupta 8c3da35130 Bug 19033: XSS Flaws in Currencies and exchange page 
1. Hit /cgi-bin/koha/admin/currency.pl
2. Enter <IFRAME SRC="javascript:alert('XSS');"></IFRAME> search currencies box.
3. Notice the iframe is executed
4. Apply patch
5. Reload page, and enter iframe again on search currencies box.
6. Notice it is no longer executed

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Fixes the issue, follows common practice on the codebase.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00

255 lines
9.9 KiB
Text
Raw Blame History

[% USE KohaDates %]
[% USE ColumnsSettings %]
[% USE HtmlTags %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Administration &rsaquo; Currencies &amp; Exchange rates &rsaquo;
[% IF op == 'add_form' %][% IF currency %]Modify currency '[% currency.currency %]'[% ELSE %]New currency[% END %][% END %]
[% IF op == 'delete_confirm' %]Confirm deletion of currency '[% currency.currency %]'[% END %]
[% IF op == 'list' %]Currencies[% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
<link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/css/datatables.css" />
[% INCLUDE 'datatables.inc' %]
[% INCLUDE 'columns_settings.inc' %]
<script type="text/javascript">
//<![CDATA[
function check_currency(val) {
if ( val == 1.0 ) {
$("#active").prop('disabled', false);
$("#hint").html("");
} else {
$("#active").prop('checked', false);
$("#active").prop('disabled', true);
$("#hint").html(_("The active currency must have a rate of 1.0"));
}
}
$(document).ready(function() {
columns_settings = [% ColumnsSettings.GetColumns( 'admin', 'currency', 'currencies-table', 'json' ) %]
var issuest = KohaTable("#currencies-table", {
dom: 'B<"clearfix">t',
"columnDefs": [
{ "aTargets": [ -1 ], "bSortable": false, "bSearchable": false },
{ "sType": "title-string", "aTargets" : [ "title-string" ] }
],
}, columns_settings );
// prevents users to check active with a currency != 1
$("#rate").keyup(function() {
check_currency( $(this).val() );
});
check_currency( $("#rate").val() );
$("#currency_code").on("blur",function(){
toUC(this);
});
});
//]]>
</script>
</head>
<body id="admin_currency" class="admin">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'currencies-admin-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> &rsaquo; <a href="/cgi-bin/koha/admin/currency.pl">Currencies &amp; Exchange rates</a> &rsaquo; [% IF op == 'add_form' %][% IF currency %]Modify currency '[% currency.currency %]'[% ELSE %]New currency[% END %][% END %]
[% IF op == 'delete_confirm' %]Confirm deletion of currency [% currency.currency | $HtmlTags tag='span' attributes=>'class="ex"' %]
[% ELSIF op == 'list' %]Currencies
[% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF op == 'list' %]
<div id="toolbar" class="btn-toolbar">
<a class="btn btn-default btn-sm" id="newcurrency" href="/cgi-bin/koha/admin/currency.pl?op=add_form"><i class="fa fa-plus"></i> New currency</a>
</div>
[% END %]
[% FOR m IN messages %]
<div class="dialog [% m.type %]">
[% SWITCH m.code %]
[% CASE 'error_on_update' %]
An error occurred when updating this currency. Perhaps it already exists.
[% CASE 'error_on_insert' %]
An error occurred when adding this currency. The currency code might already exist.
[% CASE 'error_on_delete' %]
An error occurred when deleting this currency. Check the logs.
[% CASE 'success_on_update' %]
Currency updated successfully.
[% CASE 'success_on_insert' %]
Currency added successfully.
[% CASE 'success_on_delete' %]
Currency deleted successfully.
[% CASE %]
[% m.code %]
[% END %]
</div>
[% END %]
[% IF op == 'add_form' %]
<form action="/cgi-bin/koha/admin/currency.pl" name="Aform" method="post" class="validated">
<input type="hidden" name="op" value="add_validate" />
<fieldset class="rows">
<legend>
[% IF currency %]
Modify currency
[% ELSE %]
New currency
[% END %]
</legend>
<ol>
<li>
[% IF currency %]
<span class="label">Currency: </span>
<input type="hidden" name="is_a_modif" value="1" />
<input type="hidden" name="currency_code" id="currency" value="[% currency.currency %]" />[% currency.currency %]
[% ELSE %]
<label for="currency_code" class="required">Currency: </label>
<input type="text" name="currency_code" id="currency_code" size="50" maxlength="50" required="required" class="required" /> <span class="required">Required</span>
[% END %]
</li>
<li>
<label for="rate" class="required">Rate: </label>
<input type="text" name="rate" id="rate" size="10" maxlength="10" value="[% currency.rate %]" required="required" class="required" /> <span class="required">Required</span>
</li>
<li>
<label for="symbol" class="required">Symbol: </label>
<input type="text" name="symbol" id="symbol" size="5" maxlength="5" value="[% currency.symbol %]" required="required" class="required" /> <span class="required">Required</span>
</li>
<li>
<label for="isocode">ISO code: </label>
<input type="text" name="isocode" id="isocode" size="5" maxlength="5" value="[% currency.isocode %]" />
</li>
<li>
<span class="label">Last updated: </span>[% currency.timestamp | $KohaDates %]
</li>
<li>
<label for="active">Active: </label>
[% IF currency.active %]
<input type="checkbox" id="active" name="active" value="1" checked="checked" />
[% ELSE %]
<input type="checkbox" id="active" name="active" value="1" />
[% END %]
<span id="hint" class="hint"></span>
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="submit" value="Submit" />
<a href="/cgi-bin/koha/admin/currency.pl" class="cancel">Cancel</a>
</fieldset>
</form>
[% END %]
[% IF op =='delete_confirm' %]
[% IF nb_of_orders or nb_of_vendors %]
<div class="dialog alert">
<h3>Cannot delete currency [% currency.currency | $HtmlTags tag='span' attributes=>'class="ex"' %]</h3>
<p>
[% IF nb_of_orders %]
This currency is used by [% nb_of_orders %] orders.
[% ELSIF nb_of_vendors %]
This currency is used by [% nb_of_vendors %] vendors.
[% END %]
Deletion not possible
</p>
<form action="/cgi-bin/koha/admin/currency.pl" method="post">
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> OK</button>
</form>
</div>
[% ELSE %]
<div class="dialog alert">
<h3>Confirm deletion of currency [% currency.currency | $HtmlTags tag='span' attributes=>'class="ex"' %]</h3>
<table>
<tr><th>Currency</th>
<td>[% currency.currency %]</td>
</tr>
<tr><th>Rate</th>
<td>[% currency.rate %]</td>
</tr>
</table>
<form action="/cgi-bin/koha/admin/currency.pl" method="post">
<input type="hidden" name="op" value="delete_confirmed" />
<input type="hidden" name="currency_code" value="[% currency.currency %]" />
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> Yes, delete this currency</button>
</form>
<form action="/cgi-bin/koha/admin/currency.pl" method="post">
<button type="submit" class="deny"><i class="fa fa-fw fa-remove"></i> No, do not delete</button>
</form>
</div>
[% END %]
[% END %]
[% IF op == 'list' %]
<h2>Currencies and exchange rates</h2>
[% IF currencies and no_active_currency %]
<div class="dialog alert"><h3>No active currency is defined</h3><p>Please edit one currency and mark it as active.</p></div>
[% END %]
[% IF searchfield %]
You searched for [% searchfield |html %]</span>
[% END %]
<table id='currencies-table'>
<thead>
<tr>
<th>Currency</th>
<th>Rate</th>
<th>Symbol</th>
<th>ISO code</th>
<th class="title-string">Last updated</th>
<th>Active</th>
<th>Archived</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
[% FOREACH currency IN currencies %]
<tr>
<td>[% currency.currency %]</td>
<td>[% currency.rate %]</td>
<td>[% currency.symbol |html %]</td>
<td>[% currency.isocode |html %]</td>
<td><span title="[% currency.timestamp %]">[% currency.timestamp | $KohaDates %]</span></td>
<td style="color:green;">[% IF currency.active %]✓[% END %]</td>
<td>[% IF currency.archived %]Yes[% END %]</td>
<td class="actions">
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/currency.pl?op=add_form&amp;currency_code=[% currency.currency %]"><i class="fa fa-pencil"></i> Edit</a>
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/currency.pl?op=delete_confirm&amp;currency_code=[% currency.currency %]"><i class="fa fa-trash"></i> Delete</a>
</td>
</tr>
[% END %]
</tbody>
</table>
<br />
<div class="hint">
<p>
When importing MARC files via the staging tools, the tool will attempt to find and use the price of the currently active currency.
</p>
<p>
Some examples of compatible price fields include "$9.99", "9.99 USD", "$9.99 USD", "9.99 USD (10.00 CAN)", "$9.99 USD (paperback)".
These examples assume USD is the active currency.
</p>
</div>
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'admin-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink