Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/serials/subscription-add.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

517 lines
39 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE KohaDates %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Serials &rsaquo; [% IF ( modify ) %][% bibliotitle | html %] &rsaquo; Modify subscription[% ELSE %]New subscription[% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
<style type="text/css">
fieldset.rows li.radio { width: 100%; } /* override staff-global.css */
.yui-u li p label.widelabel {
width: 300px; /* not enough for IE7 apparently */
}
</style>
</head>
<body id="ser_subscription-add" class="ser">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'serials-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/serials/serials-home.pl">Serials</a> &rsaquo; [% IF ( modify ) %]<a href="/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=[% subscriptionid | html %]"><i>[% bibliotitle | html %]</i></a> &rsaquo; Modify subscription[% ELSE %]New subscription[% END %]</div>
<div class="main container-fluid">
<div class="row">
<h1>[% IF ( modify ) %] Modify subscription for <i>[% bibliotitle | html %]</i>[% ELSE %]Add a new subscription[% END %] (<span id="page_number">1/2</span>)</h1>
<form method="post" id="subscription_add_form" name="f" action="/cgi-bin/koha/serials/subscription-add.pl" class="validated">
[% IF ( modify ) %]
<input type="hidden" name="op" value="modsubscription" />
<input type="hidden" name="subscriptionid" value="[% subscriptionid | html %]" />
[% ELSE %]
<input type="hidden" name="op" value="addsubscription" />
[% END %]
<input type="hidden" name="user" value="[% loggedinusername | html %]" />
<input type="hidden" name="irreg_check" value="0" />
<div id="page_1">
<div class="col-md-6">
<fieldset id="subscription_add_information" class="rows">
<legend>Subscription details</legend>
<ol>
[% IF ( subscriptionid ) %]
<li><span class="label">Subscription #</span> [% subscriptionid | html %]</li>
[% END %]
<li>
<label for="aqbooksellerid">Vendor: </label>
<input type="text" name="aqbooksellerid" id="aqbooksellerid" value="[% aqbooksellerid | html %]" size="8" /> (<input type="text" name="aqbooksellername" id="aqbooksellername" value="[% aqbooksellername | html %]" disabled="disabled" readonly="readonly" />) <a href="#" id="vendor_search"><i class="fa fa-search"></i> Search for a vendor</a>
</li>
<li>
<label for="biblionumber" class="required" title="Subscriptions must be associated with a bibliographic record">Record:</label>
<input type="text" name="biblionumber" id="biblionumber" value="[% bibnum | html %]" size="8" />
(<input type="text" name="title" value="[% bibliotitle | html %]" disabled="disabled" readonly="readonly" />) <span class="required" title="Subscriptions must be associated with a bibliographic record">Required</span>
<div class="inputnote"> <a href="#" id="record_search"><i class="fa fa-search"></i> Search for record</a>
[% IF ( CAN_user_editcatalogue ) %]
[% IF ( modify ) %]
| <a href="#" id="biblio_add_edit" data-biblionumber="[% bibnum | html %]"><i class="fa fa-pencil"></i> Edit record</a>
[% ELSE %]
| <a href="#" id="biblio_add_edit"><i class="fa fa-plus"></i> Create record</a>
[% END %]
[% END %]
</div>
</li>
<li class="radio">
[% IF ( serialsadditems ) %]
<p><input type="radio" id="serialsadditems-yes" name="serialsadditems" value="1" checked="checked" /><label class="widelabel" for="serialsadditems-yes">create an item record when receiving this serial</label></p>
<p><input type="radio" id="serialsadditems-no" name="serialsadditems" value="0" /><label class="widelabel" for="serialsadditems-no">do not create an item record when receiving this serial </label></p>
[% ELSE %]
<p><input type="radio" id="serialsadditems-yes" name="serialsadditems" value="1"/><label class="widelabel" for="serialsadditems-yes">create an item record when receiving this serial</label></p>
<p><input type="radio" id="serialsadditems-no" name="serialsadditems" value="0" checked="checked" /><label class="widelabel" for="serialsadditems-no">do not create an item record when receiving this serial</label></p>
[% END %]
</li>
<li class="radio">
<p>When there is an irregular issue:</p>
[% IF (skip_serialseq) %]
<p>
<input type="radio" id="skip_serialseq_yes" name="skip_serialseq" value="1" checked="checked" />
<label for="skip_serialseq_yes">Skip issue number</label>
</p>
<p>
<input type="radio" id="skip_serialseq_no" name="skip_serialseq" value="0" />
<label for="skip_serialseq_no">Keep issue number</label>
</p>
[% ELSE %]
<p>
<input type="radio" id="skip_serialseq_yes" name="skip_serialseq" value="1" />
<label for="skip_serialseq_yes">Skip issue number</label>
</p>
<p>
<input type="radio" id="skip_serialseq_no" name="skip_serialseq" value="0" checked="checked" />
<label for="skip_serialseq_no">Keep issue number</label>
</p>
[% END %]
</li>
<li>
<label for="manualhistory">Manual history:</label>
[% IF (manualhistory) %]
<input type="checkbox" id="manualhistory" name="manualhist" checked="checked" />
[% ELSE %]
<input type="checkbox" id="manualhistory" name="manualhist" />
[% END %]
</li>
<li>
<label for="callnumber">Call number:</label>
<input type="text" name="callnumber" id="callnumber" value="[% callnumber | html %]" size="20" />
</li>
<li>
<label for="branchcode">Library:</label>
<select name="branchcode" id="branchcode" style="width: 20em;">
[% UNLESS ( Independentbranches ) %]
<option value="">None</option>
[% END %]
[% IF CAN_user_serials_superserials %]
[% PROCESS options_for_libraries libraries => Branches.all( selected => branchcode, unfiltered => 1 ) %]
[% ELSE %]
[% PROCESS options_for_libraries libraries => Branches.all( selected => branchcode ) %]
[% END %]
</select> (select a library)
</li>
<li>
<label for="notes">Public note:</label>
<textarea name="notes" id="notes" cols="30" rows="2">[% notes | html %]</textarea>
</li>
<li>
<label for="internalnotes">Nonpublic note:</label>
<textarea name="internalnotes" id="internalnotes" cols="30" rows="2">[% internalnotes | html %]</textarea>
</li>
<li>
[% IF ( letterloop ) %]
<label for="letter">Patron notification: </label>
<select name="letter" id="letter">
<option value="">None</option>
[% FOREACH letterloo IN letterloop %]
[% IF ( letterloo.selected ) %]
<option value="[% letterloo.value | html %]" selected="selected">[% letterloo.lettername | html %]</option>
[% ELSE %]
<option value="[% letterloo.value | html %]">[% letterloo.lettername | html %]</option>
[% END %]
[% END %]
</select>
<div class="hint">Selecting a notice will allow patrons to subscribe to notifications when a new issue is received.</div>
[% ELSE %]
<span class="label">Patron notification: </span>
<div class="hint">To notify patrons of new serial issues, you must <a href="/cgi-bin/koha/tools/letter.pl">define a notice</a>.</div>
[% END %]
</li>
<li>
<label for="location">Location:</label>
<select name="location" id="location">
<option value="">None</option>
[% FOREACH locations_loo IN locations_loop %]
[% IF locations_loo.authorised_value == location %]
<option value="[% locations_loo.authorised_value | html %]" selected="selected">[% locations_loo.lib | html %]</option>
[% ELSE %]
<option value="[% locations_loo.authorised_value | html %]">[% locations_loo.lib | html %]</option>
[% END %]
[% END %]
</select>
</li>
<li>
<label for="itemtype">Item type:</label>
<select name="itemtype" id="itemtype">
<option value=""></option>
[% FOREACH type IN typeloop %]
[% IF ( type.selected ) %]
<option value="[% type.code | html %]" selected="selected">[% type.value | html %]</option>
[% ELSE %]
<option value="[% type.code | html %]">[% type.value | html %]</option>
[% END %]
[% END %]
</select>
</li>
[%IF makePreviousSerialAvailable %]
<li>
<label for="previousitemtype">item type for older issues:</label>
<select name="previousitemtype" id="previousitemtype">
<option value=""></option>
[% FOREACH previous IN previoustypeloop %]
[% IF ( previous.selected ) %]
<option value="[% previous.code | html %]" selected="selected">[% previous.value | html %]</option>
[% ELSE %]
<option value="[% previous.code | html %]">[% previous.value | html %]</option>
[% END %]
[% END %]
</select>
</li>
[% END %]
<li>
<label for="graceperiod">Grace period:</label>
<input type="text" name="graceperiod" id="graceperiod" value="[% graceperiod | html %]" size="5"/> day(s)
</li>
<li>
<label class="widelabel" for="staffdisplaycount">Number of issues to display to staff: </label>
<input type="text" name="staffdisplaycount" id="staffdisplaycount" value="[% staffdisplaycount | html %]" size="4"/>
</li>
<li>
<label class="widelabel" for="opacdisplaycount">Number of issues to display to the public: </label>
<input type="text" name="opacdisplaycount" id="opacdisplaycount" value="[% opacdisplaycount | html %]" size="4"/>
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="button" value="Next &gt;&gt;" id="subscription_add_next" style="float:right;" />
</fieldset>
</div>
</div>
<div id="page_2">
<div class="col-md-6">
<div id="subscription_form_planning">
<fieldset class="rows">
<legend>Serials planning</legend>
<ol>
<li>
<label for="firstacquidate" class="required">First issue publication date:</label>
[% UNLESS (more_than_one_serial) %]
<input type="text" size="10" id="acqui_date" name="firstacquidate" value="[% firstacquidate | $KohaDates %]" class="datepicker required" required="required" />
[% ELSE %]
[% firstacquidate | $KohaDates %]
<input type="hidden" size="10" id="acqui_date" name="firstacquidate" value="[% firstacquidate | $KohaDates %]"/>
[% END %]
</li>
[% IF (more_than_one_serial) %]
<li>
<label for="nextacquidate">Next issue publication date:</label>
<input type="text" size="10" id="nextacquidate" name="nextacquidate" value="[% nextacquidate | $KohaDates %]" class="datepicker" />
</li>
[% END %]
<li>
<label for="frequency" class="required">Frequency:</label>
<select name="frequency" size="1" id="frequency" class="required" required="required">
<option value="">-- please choose --</option>
[% FOREACH frequency IN frequencies %]
[% IF (frequency.selected) %]
<option value="[% frequency.id | html %]" selected="selected">
[% ELSE %]
<option value="[% frequency.id | html %]">
[% END %]
[% frequency.label | html %]
</option>
[% END %]
</select>
</li>
<li>
<label for="subtype">Subscription length:</label>
<select name="subtype" id="subtype">
[% FOREACH st IN subtypes %]
[% SWITCH st %]
[% CASE 'numberlength' %]
[% IF st == subtype %]
<option value="issues" selected="selected">
[% ELSE %]
<option value="issues">
[% END %]
issues
[% CASE 'weeklength' %]
[% IF st == subtype %]
<option value="weeks" selected="selected">
[% ELSE %]
<option value="weeks">
[% END %]
weeks
[% CASE 'monthlength' %]
[% IF st == subtype %]
<option value="months" selected="selected">
[% ELSE %]
<option value="months">
[% END %]
months
[% CASE %][% st | html %]
[% END %]
</option>
[% END %]
</select>
<input type="text" name="sublength" id="sublength" value="[% sublength | html %]" size="3" /> (enter amount in numerals)
<input type="hidden" name="issuelengthcount">
</li>
<li>
<label for="startdate" class="required"> Subscription start date:</label>
<input type="text" size="10" id="from" name="startdate" value="[% startdate | $KohaDates %]" class="datepickerfrom required" required="required" />
</li>
<li>
<label for="enddate">Subscription end date:</label>
<input type="text" size="10" id="to" name="enddate" value="[% enddate | $KohaDates %]" class="datepickerto" />
</li>
<li>
<label for="numberpattern" class="required">Numbering pattern:</label>
<select name="numbering_pattern" size="1" id="numberpattern" class="required" required="required">
<option value="">-- please choose --</option>
[% FOREACH numberpattern IN numberpatterns %]
[% IF (numberpattern.selected) %]
<option value="[% numberpattern.id | html %]" selected="selected">
[% ELSE %]
<option value="[% numberpattern.id | html %]">
[% END %]
[% numberpattern.label | html %]
</option>
[% END %]
</select>
</li>
<li>
<label for="locale">Locale:</label>
<select id="locale" name="locale">
<option value=""></option>
[% FOREACH l IN locales %]
[% IF l.language == locale %]
<option value="[% l.language | html %]" selected="selected">[% l.description | html %]</option>
[% ELSE %]
<option value="[% l.language | html %]">[% l.description | html %]</option>
[% END %]
[% END %]
</select>
<span class="hint">If empty, English is used</span>
</li>
<li id="more_options">
<table id="moreoptionst">
<thead>
<tr>
<th>&nbsp;</th>
<th id="headerX">&nbsp;</th>
<th id="headerY">&nbsp;</th>
<th id="headerZ">&nbsp;</th>
</tr>
</thead>
<tbody>
<tr>
<td>
[% IF (more_than_one_serial) %]
Last value
[% ELSE %]
Begins with
[% END %]
</td>
<td id="beginsX"><input type="text" id="lastvaluetemp1" name="lastvaluetemp1" value="[% lastvalue1 | html %]" /></td>
<td id="beginsY"><input type="text" id="lastvaluetemp2" name="lastvaluetemp2" value="[% lastvalue2 | html %]" /></td>
<td id="beginsZ"><input type="text" id="lastvaluetemp3" name="lastvaluetemp3" value="[% lastvalue3 | html %]" /></td>
</tr>
<tr>
<td>Inner counter</td>
<td id="innerX"><input type="text" id="innerlooptemp1" name="innerlooptemp1" value="[% innerloop1 | html %]" /></td>
<td id="innerY"><input type="text" id="innerlooptemp2" name="innerlooptemp2" value="[% innerloop2 | html %]" /></td>
<td id="innerZ"><input type="text" id="innerlooptemp3" name="innerlooptemp3" value="[% innerloop3 | html %]" /></td>
</tr>
</tbody>
</table>
</li>
<li>
<a href="#" class="toggle_advanced_pattern show_advanced_pattern"><i class="fa fa-plus-square"></i> Show advanced pattern</a>
<a href="#" style="display:none;" class="toggle_advanced_pattern hide_advanced_pattern"><i class="fa fa-minus-square"></i> Hide advanced pattern</a>
</li>
<div id="advancedpredictionpattern" style="display:none">
<li>
<label for="patternname" class="required">Pattern name:</label>
<input id="patternname" name="patternname" type="text" readonly="readonly" class="required" required="required" />
</li>
<li>
<label for="numberingmethod">Numbering formula:</label>
<input readonly="readonly" type="text" name="numberingmethod" id="numberingmethod" size="50" value="[% numberingmethod | html %]" />
</li>
<table id="advancedpredictionpatternt">
<thead>
<tr>
<th colspan="4">Advanced prediction pattern</th>
</tr>
<tr>
<th>&nbsp;</th>
<th>X</th>
<th>Y</th>
<th>Z</th>
</tr>
</thead>
<tbody>
<tr>
<td>Label</td>
<td><input type="text" readonly="readonly" id="label1" name="label1" /></td>
<td><input type="text" readonly="readonly" id="label2" name="label2" /></td>
<td><input type="text" readonly="readonly" id="label3" name="label3" /></td>
</tr>
<tr>
<td>Begins with</td>
<td><input type="text" readonly="readonly" id="lastvalue1" name="lastvalue1" /></td>
<td><input type="text" readonly="readonly" id="lastvalue2" name="lastvalue2" /></td>
<td><input type="text" readonly="readonly" id="lastvalue3" name="lastvalue3" /></td>
</tr>
<tr>
<td>Add</td>
<td><input type="text" readonly="readonly" id="add1" name="add1" /></td>
<td><input type="text" readonly="readonly" id="add2" name="add2" /></td>
<td><input type="text" readonly="readonly" id="add3" name="add3" /></td>
</tr>
<tr>
<td>Every</td>
<td><input type="text" readonly="readonly" id="every1" name="every1" /></td>
<td><input type="text" readonly="readonly" id="every2" name="every2" /></td>
<td><input type="text" readonly="readonly" id="every3" name="every3" /></td>
</tr>
<tr>
<td>Set back to</td>
<td><input type="text" readonly="readonly" id="setto1" name="setto1" /></td>
<td><input type="text" readonly="readonly" id="setto2" name="setto2" /></td>
<td><input type="text" readonly="readonly" id="setto3" name="setto3" /></td>
</tr>
<tr>
<td>When more than</td>
<td><input type="text" readonly="readonly" id="whenmorethan1" name="whenmorethan1" /></td>
<td><input type="text" readonly="readonly" id="whenmorethan2" name="whenmorethan2" /></td>
<td><input type="text" readonly="readonly" id="whenmorethan3" name="whenmorethan3" /></td>
</tr>
<tr>
<td>Inner counter</td>
<td><input type="text" readonly="readonly" id="innerloop1" name="innerloop1" /></td>
<td><input type="text" readonly="readonly" id="innerloop2" name="innerloop2" /></td>
<td><input type="text" readonly="readonly" id="innerloop3" name="innerloop3" /></td>
</tr>
<tr>
[% BLOCK numbering_select %]
<select disabled="disabled" id="[% name | html %]" name="[% name | html %]">
<option value=""></option>
<option value="dayname">Name of day</option>
<option value="dayabrv">Name of day (abbreviated)</option>
<option value="monthname">Name of month</option>
<option value="monthabrv">Name of month (abbreviated)</option>
<option value="season">Name of season</option>
<option value="seasonabrv">Name of season (abbreviated)</option>
</select>
[% END %]
<td>Formatting</td>
<td>[% PROCESS numbering_select name="numbering1" %]</td>
<td>[% PROCESS numbering_select name="numbering2" %]</td>
<td>[% PROCESS numbering_select name="numbering3" %]</td>
</tr>
</tbody>
</table>
<input id="modifyadvancedpatternbutton" type="button" value="Modify pattern" />
<input id="restoreadvancedpatternbutton" type="button" value="Cancel modifications" style="display:none" />
<input id="saveadvancedpatternbutton" type="button" value="Save as new pattern" style="display:none" />
</div>
</ol>
</fieldset>
[% IF additional_fields_for_subscription %]
<div id="subscription_additional_fields">
<fieldset class="rows">
<legend>Additional fields</legend>
<ol>
[% FOR field IN additional_fields_for_subscription %]
<li>
<label for="additional_field_[% field.id | html %]"> [% field.name | html %]: </label>
[% IF field.authorised_value_choices %]
<select name="additional_field_[% field.id | html %]" id="additional_field_[% field.id | html %]">
[% FOREACH av IN field.authorised_value_choices %]
[% IF av.authorised_value == additional_fields.${field.name} %]
<option value="[% av.authorised_value | html %]" selected="selected">[% av.lib | html %]</option>
[% ELSE %]
<option value="[% av.authorised_value | html %]">[% av.lib | html %]</option>
[% END %]
[% END %]
</select> (Authorised values for [% field.authorised_value_category | html %])
[% ELSE %]
[% IF field.marcfield %]
<input type="text" value="[% additional_fields.${field.name} | html %]" id="additional_field_[% field.id | html %]" name="additional_field_[% field.id | html %]" readonly="readonly" />
This value will be filled with the [% field.marcfield | html %] subfield of the selected biblio.
[% ELSE %]
<input type="text" value="[% additional_fields.${field.name} | html %]" id="additional_field_[% field.id | html %]" name="additional_field_[% field.id | html %]" />
[% END %]
[% END %]
</li>
[% END %]
</ol>
</fieldset>
</div>
[% END %]
<fieldset class="action">
<input type="button" id="subscription_add_previous" value="&lt;&lt; Previous" style="float:left;"/>
<input id="testpatternbutton" type="button" value="Test prediction pattern" />
<input type="submit" value="Save subscription" style="float:right;" accesskey="w" />
</fieldset>
</div>
</div>
<div class="col-md-6">
<li id="displayexample"></li>
</div>
</div>
</form>
</div>
[% MACRO jsinclude BLOCK %]
[% INCLUDE 'calendar.inc' %]
<script type="text/javascript">
var subscriptionid = "[% subscriptionid | html %]";
var irregularity = "[% irregularity | html %]";
var more_than_one_serial = "[% more_than_one_serial | html %]";
var tags = [];
[% FOREACH field IN dont_export_field_loop %]
tags.push("[% field.fieldid | html %]");
[% END %]
var MSG_LINK_TO_VENDOR = _("If you wish to claim late or missing issues you must link this subscription to a vendor. Click OK to ignore or Cancel to return and enter a vendor");
var MSG_LINK_BIBLIO = _("You must choose or create a bibliographic record");
var MSG_REQUIRED_SUB_LENGTH = _("You must choose a subscription length or an end date.");
var MSG_TEST_PREDICTION = _("Please click on 'Test prediction pattern' before saving subscription.");
var MSG_REQUIRED_PUB_DATE = _("You must choose a first publication date");
var MSG = _("You have modified the advanced prediction pattern. Please save your work or cancel modifications.");
var MSG_PATTERN_IRREG = _("Warning! Present pattern has planned irregularities. Click on 'Test prediction pattern' to check if it's still valid")
var MSG_PATTERN_NAME = _("Please enter a name for this pattern");
var MSG_PATTERN_NAME_EXISTS = _("This pattern name already exists. Do you want to modify it?");
var MSG_OVERWRITE_PATTERNS = _("Warning: it will modify the pattern for all subscriptions that are using it.");
var MSG_PATTERN_CREATE_FAILED = _("Something went wrong. Unable to create a new numbering pattern.");
var MSG_PATTERN_TEST_FAILED = _("Cannot test prediction pattern for the following reason(s): %s");
var MSG_FREQUENCY_UNDEFINED = _("Frequency is not defined");
var MSG_PUB_DATE_UNDEFINED = _("First publication date is not defined");
var MSG_NEXT_ISSUE_UNDEFINED = _("Next issue publication date is not defined");
</script>
[% Asset.js("js/subscription-add.js") | $raw %]
[% Asset.js("js/showpredictionpattern.js") | $raw %]
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink