Koha/koha-tmpl/intranet-tmpl/prog/en/modules/serials/checkexpiration.tt
Jonathan Druart 9d00353a92 Bug 17026: Fix XSS in serials/checkexpiration.pl
Test plan:
Hit:
 /serials/checkexpiration.pl?title="><script>alert("XSS")</script>&date=12/02/2002
 /serials/checkexpiration.pl?issn="><script>alert("XSS")</script>&date=12/02/2002

=> Without this patch you will see the alert
=> With this patch, no more alert

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
2016-08-04 18:13:31 +00:00

147 lines
5 KiB
Text

[% USE KohaDates %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Serials &rsaquo; Check expiration</title>
[% INCLUDE 'doc-head-close.inc' %]
[% INCLUDE 'calendar.inc' %]
[% USE Branches %]
<script type="text/javascript" language="JavaScript">
// <![CDATA[
/**
* Function CheckForm
* This function checks the form before submit
*/
function CheckForm(form){
if(form.date.value){
return true;
}
else {
alert(_("You must enter a date!"));
document.f.date.focus();
return false;
}
}
function popup(subscriptionid) {
newin=window.open("subscription-renew.pl?mode=popup&subscriptionid="+subscriptionid,'popup','width=590,height=440,toolbar=false,scrollbars=yes,resize=yes');
}
// ]]>
</script>
<!-- End of additions -->
</head>
<body id="ser_checkexpiration" class="ser">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'serials-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/serials/serials-home.pl">Serials</a> &rsaquo; Check expiration </div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<h1>Check expiration</h1>
<form name="f" action="/cgi-bin/koha/serials/checkexpiration.pl" method="post" onsubmit="return CheckForm(this);">
<fieldset class="rows">
<legend>Filter results:</legend>
<ol>
<li><label for="title">Title:</label>
<input id="title" type="text" name="title" size="15" value="[% title | html %]" /></li>
<li><label for="issn">ISSN:</label>
<input id="issn" type="text" name="issn" size="15" value="[% issn | html %]" /></li>
[% IF (branches_loop.size) %]
<li><label for="branch">Library:</label>
<select id="branch" name="branch">
<option value="">All</option>
[% FOREACH branch IN branches_loop %]
[% IF branch.selected %]
<option selected="selected" value="[% branch.branchcode %]">
[% ELSE %]
<option value="[% branch.branchcode %]">
[% END %]
[% branch.branchname %]
</option>
[% END %]
</select>
</li>
[% END %]
<li><label for="date" class="required" title="Required field">Expiring before:</label>
<input id="date" type="text" name="date" size="10" value="[% date | $KohaDates %]" class="focus datepicker" />
<span class="required">Required</span>
<div class="hint">[% INCLUDE 'date-format.inc' %]</div></li>
</ol>
</fieldset>
<fieldset class="action"><input type="submit" value="Search" /></fieldset>
</form>
[% IF ( subscriptions_loop ) %]
<p>
<b>[% numsubscription %]</b> subscription(s)
[% IF ( title ) %]
with title matching <span class="title">[% title | html %]</class>
[% IF ( issn ) %]and [% END %]
[% END %]
[% IF ( issn ) %]
with ISSN matching <b>[% issn | html %]</b>
[% END %]
will expire before <b>[% date | $KohaDates %]</b>
</p>
<table>
<tr>
<th>ISSN</th>
<th>Title</th>
[% IF ( branches_loop.size ) %]<th>Library</th>[% END %]
<th>OPAC note</th>
<th>Nonpublic note</th>
<th>Expiration date</th>
<th>Actions</th>
</tr>
[% FOREACH subscriptions_loo IN subscriptions_loop %]
<tr>
<td>
[% subscriptions_loo.issn %]
</td>
<td><a href="/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=[% subscriptions_loo.subscriptionid |url %]">[% IF ( subscriptions_loo.title ) %]
[% subscriptions_loo.title |html %]
[% ELSE %]
|
[% END %]
</a>
</td>
[% IF ( branches_loop.size ) %]<td>
[% Branches.GetName( subscriptions_loo.branchcode ) %]
</td>[% END %]
<td>
[% subscriptions_loo.notes %]
</td>
<td>
[% subscriptions_loo.internalnotes %]
</td>
<td>
[% subscriptions_loo.expirationdate | $KohaDates %]
</td>
<td class="actions">
<a href="/cgi-bin/koha/serials/subscription-add.pl?op=modify&amp;subscriptionid=[% subscriptions_loo.subscriptionid %]" class="btn btn-mini"><i class="fa fa-pencil"></i> Edit</a>
<a href="/cgi-bin/koha/serials/subscription-renew.pl?subscriptionid=[% subscriptions_loo.subscriptionid %]" onclick="popup([% subscriptions_loo.subscriptionid %]); return false;" class="btn btn-mini"><i class="fa fa-refresh"></i> Renew</a>
</td>
</tr>
[% END %]
</table>
[% ELSIF searched %]
<p>No results for your query</p>
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'serials-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]