Koha/koha-tmpl/intranet-tmpl/prog/en/modules/admin/auth_subfields_structure.tt
Chris c08063d037 Bug 14423: XSS bug in auth_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-06-23 10:12:03 -03:00

324 lines
17 KiB
Text

[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Administration &rsaquo; Authority MARC subfield structure</title>
[% INCLUDE 'doc-head-close.inc' %]
<script type="text/javascript">
//<![CDATA[
$(document).ready(function() {
$('#subfieldtabs').tabs();
});
function displayMoreConstraint(numlayer){
var thisdiv = document.getElementById(numlayer);
if(thisdiv.getAttribute("class") == "content_hidden"){
thisdiv.removeAttribute('class');
thisdiv.setAttribute("class","content_visible");
} else {
thisdiv.removeAttribute('class');
thisdiv.setAttribute("class","content_hidden");
}
}
//]]>
</script>
</head>
<body id="admin_auth_subfields_structure" class="admin">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> &rsaquo;
<a href="/cgi-bin/koha/admin/authtypes.pl">Authority types</a> &rsaquo;
[% IF ( authtypecode ) %]<a href="/cgi-bin/koha/admin/auth_tag_structure.pl?authtypecode=[% authtypecode | uri%]">[% authtypecode |html%] framework</a> &rsaquo;
[% ELSE %]<a href="/cgi-bin/koha/admin/auth_tag_structure.pl">Default framework</a> &rsaquo;
[% END %]
[% IF ( else ) %]Authority MARC subfield structure for [% tagfield | html %]
[% ELSE %]<a href="/cgi-bin/koha/admin/auth_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;tagsubfield=[% tagsubfield %]&amp;authtypecode=[% authtypecode |uri %]">Authority MARC subfield structure for [% tagfield | html %]</a> &rsaquo;
[% END %]
[% IF ( delete_confirm ) %]Confirm deletion of subfield [% tagsubfield %]?[% END %]
[% IF ( delete_confirmed ) %]Data deleted[% END %]
[% IF ( add_form ) %]
[% IF ( use_heading_flags_p ) %]
[% IF ( heading_edit_subfields_p ) %]Edit MARC subfields constraints[% END %]
[% ELSE %][% action %][% END %]
[% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF ( add_form ) %]
<h1>[% IF ( use_heading_flags_p ) %]
[% IF ( heading_edit_subfields_p ) %]Edit MARC subfields constraints for field [% tagfield | html %] authority [% authtypecode |html%][% END %]
[% ELSE %][% action %][% END %]</h1>
<form action="[% script_name %]" name="Aform" method="post">
<input type="hidden" name="op" value="add_validate" />
<input type="hidden" name="tagfield" value="[% tagfield | html %]" />
<input type="hidden" name="authtypecode" value="[% authtypecode | html%]" />
<fieldset class="action"><input type="submit" class="submit" value="Save changes" /> <a class="cancel" href="/cgi-bin/koha/admin/auth_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;authtypecode=[% authtypecode |uri %]">Cancel</a></fieldset>
<div id="subfieldtabs" class="toptabs numbered">
<ul>
[% FOREACH loo IN loop %]
[% IF ( loo.new_subfield ) %]
<li><a href="#sub[% loo.tagsubfield %]field" title="[% loo.liblibrarian %]">New</a></li>
[% ELSE %]
<li><a href="#sub[% loo.tagsubfield %]field" title="[% loo.liblibrarian %]">
[% loo.tagsubfield %]
</a></li>
[% END %]
[% END %]
</ul>
[% FOREACH loo IN loop %]
<div id="sub[% loo.tagsubfield %]field">
<fieldset class="rows"><ol>
[% IF ( loo.new_subfield ) %]
<li><label for="tagsubfieldinput[% loo.row %]">Subfield code: </label>[% loo.tagsubfieldinput %]&nbsp;</li>
[% ELSE %]
<li>
<input type="hidden" name="tagsubfield" value="[% loo.tagsubfield %]" />
</li>
[% END %]
<li><label for="repeatable[% loo.row %]">Repeatable: </label>[% loo.repeatable %]&nbsp;</li>
<li><label for="mandatory[% loo.row %]">Mandatory: </label>[% loo.mandatory %]&nbsp;</li>
<li><label for="liblibrarian[% loo.row %]">Text for librarian: </label><input id="liblibrarian[% loo.row %]" type="text" name="liblibrarian" value="[% loo.liblibrarian %]" size="40" maxlength="80" /></li>
<li><label for="libopac[% loo.row %]">Text for OPAC: </label><input type="text" id="libopac[% loo.row %]" name="libopac" value="[% loo.libopac %]" size="40" maxlength="80" /></li>
<li><label for="tab[% loo.row %]">Managed in tab: </label>
<select name="tab" size="1" id="[% loo.tab.id %]">
[%- IF ( loo.tab.default == -1 ) -%]
<option value="-1" selected="selected">ignore</option>
[%- ELSE -%]
<option value="-1">ignore</option>
[%- END -%]
[%- FOREACH t IN [ '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '10'] -%]
[%- IF ( loo.tab.default == t && t.length>0 ) -%]
<option value="[%- t -%]" selected="selected">[%- t -%]</option>
[%- ELSIF ( loo.tab.default == t ) -%]
<option value="[%- t -%]" selected="selected">&nbsp;</option>
[%- ELSE -%]
<option value="[%- t -%]">[%- t -%]</option>
[%- END -%]
[%- END -%]
</select>
(ignore means that the subfield does not display in the record editor)
</li>
<li>
<fieldset>
<legend>Display</legend>
<ol>
<li><label for="ohidden[% loo.row %]">Select to display or not:</label>
<select name="ohidden" size="1" id="[% loo.ohidden.id %]">
[%- IF ( loo.ohidden.default == 0 ) -%]
<option value= "0" selected="selected">Show all</option>
<option value="-5">Hide all</option>
[%- ELSIF ( loo.ohidden.default == -5 ) -%]
<option value= "0">Show all</option>
<option value="-5" selected="selected">Hide all</option>
[%- ELSE -%]
<option value= "0">Show all</option>
<option value="-5">Hide all</option>
[%- END -%]
</select>
</li>
</ol>
</fieldset>
</li>
<li>
<fieldset class="rows">
<legend>Advanced constraints:</legend>
<ol>
<li><label for="isurl[% loo.row %]">Is a URL:</label>[% loo.isurl %] (if checked, it means that the subfield is a URL and can be clicked)</li>
<li>
<label for="defaultvalue[% loo.row %]">Default value:</label>
<input type="text" name="defaultvalue" id="defaultvalue[% loo.row %]" value="[% loo.defaultvalue %]" />
</li>
</ol>
</fieldset>
</li>
<li>
<fieldset><legend>Help input</legend>
<ol>
<li>
<label for="kohafield[% loo.row %]">Koha field:</label>
<select name="kohafield" id="[% loo.kohafield.id %]" size="1">
[%- FOREACH value IN loo.kohafield.values %]
[% IF ( value == loo.kohafield.default && value.length>0 ) -%]
<option value="[% value %]" selected="selected">[% value %]</option>
[%- ELSIF ( value == loo.kohafield.default ) -%]
<option value="[% value %]" selected="selected">&nbsp;</option>
[%- ELSIF ( value.length==0 ) -%]
<option value="[% value %]">&nbsp;</option>
[%- ELSE -%]
<option value="[% value %]">[% value %]</option>
[%- END -%]
[%- END %]
</select>
</li>
<li>
<label for="authorised_value[% loo.row %]">Authorized value:</label>
<select name="authorised_value" id="[% loo.authorised_value.id %]" size="1">
[%- FOREACH value IN loo.authorised_value.values %]
[% IF ( value == loo.authorised_value.default && value.length>0 ) -%]
<option value="[% value %]" selected="selected">[% value %]</option>
[%- ELSIF ( value == loo.authorised_value.default ) -%]
<option value="[% value %]" selected>&nbsp;</option>
[%- ELSIF ( value.length==0 ) -%]
<option value="[% value %]">&nbsp;</option>
[%- ELSE -%]
<option value="[% value %]">[% value %]</option>
[%- END -%]
[%- END %]
</select>
</li>
<li>
<label for="frameworkcode[% loo.row %]">Thesaurus:</label>
<select name="frameworkcode" id="[% loo.frameworkcode.id %]" size="1">
[%- FOREACH value IN loo.frameworkcode.values %]
[% IF ( value == loo.frameworkcode.default && value.length>0 ) -%]
<option value="[% value %]" selected="selected">[% value %]</option>
[%- ELSIF ( value == loo.frameworkcode.default ) -%]
<option value="[% value %]" selected="selected">&nbsp;</option>
[%- ELSIF ( value.length==0 ) -%]
<option value="[% value %]">&nbsp;</option>
[%- ELSE -%]
<option value="[% value %]">[% value %]</option>
[%- END -%]
[%- END %]
</select>
</li>
<li>
<label for="value_builder[% loo.row %]">Plugin:</label>
<select name="value_builder" id="[% loo.value_builder.id %]" size="1">
[%- FOREACH value IN loo.value_builder.values %]
[% IF ( value == loo.value_builder.default && value.length>0 ) -%]
<option value="[% value %]" selected="selected">[% value %]</option>
[%- ELSIF ( value == loo.value_builder.default ) -%]
<option value="[% value %]" selected="selected">&nbsp;</option>
[%- ELSIF ( value.length==0 ) -%]
<option value="[% value %]">&nbsp;</option>
[%- ELSE -%]
<option value="[% value %]">[% value %]</option>
[%- END -%]
[%- END %]
</select>
</li>
</ol>
</fieldset>
</li>
</ol></fieldset><br class="clear" />
</div>
[% END %]
</div>
</form>
[% END %]
[% IF ( delete_confirm ) %]
<div class="dialog alert"><h3>Delete subfield <span class="ex">'[% tagsubfield %]'?</span></h3>
<form action="[% delete_link %]" method="post"><input type="hidden" name="op" value="delete_confirmed" />
<table><tr><th scope="row">Subfield:</th> <td>[% tagsubfield %]</td></tr>
<tr><th scope="row">Description:</th> <td>[% liblibrarian %]</td></tr></table>
<input type="hidden" name="searchfield" value="[% searchfield %]" />
<input type="hidden" name="tagfield" value="[% tagfield | html%]" />
<input type="hidden" name="tagsubfield" value="[% tagsubfield %]" />
<input type="hidden" name="authtypecode" value="[% authtypecode | html%]" />
<input type="submit" class="approve" value="Yes, delete this subfield" />
</form>
<form action="[% delete_link %]" method="get">
<input type="hidden" name="searchfield" value="[% searchfield %]" />
<input type="hidden" name="tagfield" value="[% tagfield | html %]" />
<input type="hidden" name="tagsubfield" value="[% tagsubfield %]" />
<input type="hidden" name="authtypecode" value="[% authtypecode |html%]" />
<input type="submit" class="deny" value="No, do not delete" />
</form>
</form></div>
[% END %]
[% IF ( delete_confirmed ) %]
<div class="dialog message"> <h3>Data deleted</h3>
<form action="[% script_name %]" method="post">
<input type="hidden" name="tagfield" value="[% tagfield | html %]" />
<input type="submit" class="approve" value="OK" />
</form></div>
[% END %]
[% IF ( else ) %]
<h1>Authority MARC subfield structure admin for [% tagfield | html %] (authority: [% authtypecode | html%])</h1>
<p>This screen shows the subfields associated with the selected tag. You can edit subfields or add a new one by clicking on edit. </p>
<p>The column <b>Koha field</b> shows that the subfield is linked with a Koha field. Koha can manage a MARC interface, and a Koha interface. This link ensures that both DB are synchronized</p>
<table>
<tr>
<th>Subfield</th>
<th>Text</th>
<th>Constraints</th>
<th>Delete</th>
</tr>
[% FOREACH loo IN loop %]
<tr>
<td>[% loo.tagsubfield %]</td>
<td>
[% IF ( loo.subfield_ignored ) %]
<i>[% loo.liblibrarian %]</i>
[% ELSE %]
[% loo.liblibrarian %]
[% END %]
</td>
<td>
[% IF ( loo.subfield_ignored ) %]
<i>subfield ignored</i>
[% ELSE %]
<strong>Tab:</strong>[% loo.tab %],
[% IF ( loo.kohafield ) %] | <strong>Koha field:</strong> [% loo.kohafield %], [% END %]
[% IF ( loo.repeatable ) %]Repeatable, [% ELSE %]Not repeatable,
[% END %]
[% IF ( loo.mandatory ) %]Mandatory, [% ELSE %]Not mandatory,
[% END %]
[% IF ( loo.hidden ) %]hidden,
[% END %]
[% IF ( loo.isurl ) %]is a url,
[% END %]
[% IF ( loo.authorised_value ) %] | <strong>Auth value:</strong>[% loo.authorised_value %],
[% END %]
[% IF ( loo.frameworkcode ) %] | <strong>Authority:</strong>[% loo.frameworkcode %],
[% END %]
[% IF ( loo.value_builder ) %] | <strong>Plugin:</strong>[% loo.value_builder %],[% END %]
[% END %]
</td>
<td><a href="[% loo.delete %]">Delete</a></td>
</tr>
[% END %]
</table>
<form action="[% script_name %]" method="get">
<fieldset class="action"><input type="hidden" name="op" value="add_form" />
<input type="hidden" name="tagfield" value="[% edit_tagfield %]" />
<input type="hidden" name="authtypecode" value="[% edit_authtypecode %]" />
<input type="submit" value="Edit subfields" />
<a class="cancel" href="auth_tag_structure.pl?searchfield=[% tagfield | uri%]&amp;authtypecode=[% authtypecode | uri %]">Cancel</a></fieldset>
</form>
[% IF ( previous ) %]
<input type="image" src="[% interface %]/[% theme %]/images/1leftarrow.png" title="previous" alt="previous" border="0" />
</a>
[% END %]
[% IF ( next ) %]
[% next %]
<input type="image" src="[% interface %]/[% theme %]/images/1rightarrow.png" title="next" alt="next" border="0" />
</a>
[% END %]
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'admin-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]