Koha/koha-tmpl/intranet-tmpl/prog/en/modules/admin/biblio_framework.tt
Amit Gupta a482880352 Bug 19108: Fix Stored XSS in biblio_framework.pl and marctagstructure.pl
To Test
1. Hit the page /cgi-bin/koha/admin/biblio_framework.pl?op=add_form
2. Add a text in the field Description that contains js
3. Save the page.
4. Notice js is execute
5. Click on Actions -> MARC structure
6. Apply patch and reload, the js is escaped

Fixed for both the pages biblio_framework.pl and marctagstructure.pl

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-29 12:20:51 -03:00

290 lines
17 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Administration &rsaquo; MARC frameworks
[% IF op == 'add_form' %]
&rsaquo; [% IF framework %]Modify framework text[% ELSE %]Add framework[% END %]
[% ELSIF op == 'delete_confirm' %]
&rsaquo; Delete framework for [% framework.frameworktext |html %] ([% framework.frameworkcode %])?
[% END %]
</title>
[% INCLUDE 'doc-head-close.inc' %]
<link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/css/datatables.css" />
[% INCLUDE 'datatables.inc' %]
<script type="text/javascript">
/* Set some variable needed in biblio_framework.js */
var MSG_IMPORT_ERROR = _("Error importing the framework");
var MSG_SELECT_FILE_FORMAT = _("Please select a CSV (.csv), ODS (.ods) or XML (.xml) spreadsheet file.");
var MSG_OVERWRITE_WARNING = _("Do you really want to import the framework fields and subfields? This will overwrite the current configuration. For safety reasons please use the export option to make a backup");
var MSG_IMPORTING_TO_FRAMEWORK = _("Importing to framework: %s. Importing from file: %s.");
var template_path = "[% interface %]/[% theme %]";
</script>
<script type="text/javascript" src="[% interface %]/[% theme %]/js/biblio_framework.js"></script>
</head>
<body id="admin_biblio_framework" class="admin">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'prefs-admin-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a>
&rsaquo; <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a>
&rsaquo; <a href="/cgi-bin/koha/admin/biblio_framework.pl">MARC frameworks</a>
[% IF op == 'add_form' %]
&rsaquo; [% IF framework %]Modify framework text[% ELSE %]Add framework[% END %]
[% ELSIF op == 'delete_confirm' %]
&rsaquo; Delete framework for [% framework.frameworktext |html %] ([% framework.frameworkcode %])?
[% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% FOR m IN messages %]
<div class="dialog [% m.type %]">
[% SWITCH m.code %]
[% CASE 'error_on_update' %]
An error occurred when updating this framework. Perhaps it already exists.
[% CASE 'error_on_insert' %]
An error occurred when adding this framework. The framework might already exist.
[% CASE 'error_on_delete' %]
An error occurred when deleting this framework. Check the logs.
[% CASE 'success_on_update' %]
Framework updated successfully.
[% CASE 'success_on_insert' %]
Framework added successfully.
[% CASE 'success_on_delete' %]
Framework deleted successfully.
[% CASE 'already_exists' %]
This framework code already exists.
[% CASE %]
[% m.code %]
[% END %]
</div>
[% END %]
[% IF op == 'list'%]
<div id="toolbar" class="btn-toolbar">
<a class="btn btn-default btn-sm" id="newframework" href="/cgi-bin/koha/admin/biblio_framework.pl?op=add_form"><i class="fa fa-plus"></i> New framework</a>
</div>
[% END %]
[% IF op == 'add_form' %]
<h1>[% IF framework %]Modify framework text[% ELSE %]Add framework[% END %]</h1>
<form action="/cgi-bin/koha/admin/biblio_framework.pl" name="Aform" method="post" class="validated">
<input type="hidden" name="op" value="add_validate" />
<fieldset class="rows">
<ol>
[% IF framework %]
<li>
<span class="label">Framework code: </span>
<input type="hidden" id="frameworkcode" name="frameworkcode" value="[% framework.frameworkcode %]" />[% framework.frameworkcode %]
<input type="hidden" name="is_a_modif" value="1" />
</li>
[% ELSE %]
<li>
<label for="frameworkcode" class="required">Framework code: </label>
<input type="text" id="frameworkcode" name="frameworkcode" size="4" maxlength="4" required="required" class="required" />
<span class="required">Required</span>
</li>
[% END %]
<li>
<label for="description" class="required">Description: </label>
<input type="text" name="frameworktext" id="description" size="40" maxlength="80" value="[% framework.frameworktext |html %]" required="required" class="required" />
<span class="required">Required</span>
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="submit" value="Submit" class="submit" />
</fieldset>
</form>
[% END %]
[% IF op == 'delete_confirm' %]
<div class="dialog alert">
[% IF biblios_use_this_framework %]
<h3>This framework cannot be deleted</h3>
<p><strong><span class="ex">[% framework.frameworktext |text %] ([% framework.frameworkcode %])</span></strong></p>
<p>The framework is used [% biblios_use_this_framework %] times.</p>
<form action="/cgi-bin/koha/admin/biblio_framework.pl" method="get">
<button type="submit"><i class="fa fa-fw fa-arrow-left"></i> Return to frameworks</button>
</form>
[% ELSE %]
<h3>Delete framework for [% framework.frameworktext |html %] ([% framework.frameworkcode %])?</h3>
<form class="inline" action="/cgi-bin/koha/admin/biblio_framework.pl" method="post">
<input type="hidden" name="op" value="delete_confirmed" />
<input type="hidden" name="frameworkcode" value="[% framework.frameworkcode %]" />
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> Yes, delete this framework</button>
</form>
<form class="inline" action="/cgi-bin/koha/admin/biblio_framework.pl" method="get">
<button type="submit" class="deny"><i class="fa fa-fw fa-remove"></i> No, do not delete</button>
</form>
[% END %]
</div>
[% END %]
[% IF op == 'list' %]
<h1>MARC frameworks</h1>
<p>Framework name, then go to MARC biblio to set MARC editor parameters</p>
<table id="table_biblio_frameworks">
<thead>
<tr>
<th>Code</th>
<th>Description</th>
<th>&nbsp;</th>
</tr>
</thead>
<tbody>
<tr>
<td>&nbsp;</td>
<td>Default framework</td>
<td>
<div class="dropdown">
<a class="btn btn-default btn-xs dropdown-toggle" id="frameworkactions[% loo.frameworkcode %]" role="button" data-toggle="dropdown" href="#">
Actions <b class="caret"></b>
</a>
<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="frameworkactions[% loo.frameworkcode %]">
<li><a href="marctagstructure.pl?frameworkcode="><i class="fa fa-eye"></i> MARC structure</a></li>
<!-- Trigger modal -->
<li><a href="#" data-toggle="modal" data-target="#exportModal_default" title="Export framework structure (fields, subfields) to a spreadsheet file (.csv, .xml, .ods)"><i class="fa fa-upload"></i> Export</a></li>
<!-- Trigger modal -->
<li><a href="#" data-toggle="modal" data-target="#importModal_[% framework.frameworkcode %][% frameworks.count %]" title="Import framework structure (fields, subfields) from a spreadsheet file (.csv, .xml, .ods)"><i class="fa fa-download"></i> Import</a></li>
</ul>
<!-- Modal to export default framework -->
<div class="modal" id="exportModal_default" tabindex="-1" role="dialog" aria-labelledby="exportLabelexportModal_default" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="closebtn" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="exportLabelexportModal_default">Export default framework</h3>
</div>
<form action="import_export_framework.pl" name="form_defaul" method="get" target="_blank" class="form_export">
<div class="modal-body">
<fieldset>
<input type="hidden" name="frameworkcode" value="" />
<p><label for="csv_type_export_default"><input type="radio" name="type_export_default" value="csv" id="csv_type_export_default" checked="checked" /> Export to CSV spreadsheet</label></p>
<p><label for="xml_type_export_default"><input type="radio" name="type_export_default" value="excel" id="xml_type_export_default" /> Export to Excel with XML format, compatible with OpenOffice/LibreOffice as well</label></p>
<p><label for="ods_type_export_default"><input type="radio" name="type_export_default" value="ods" id="ods_type_export_default" /> Export to OpenDocument spreadsheet format</label></p>
</fieldset>
</div>
<div class="modal-footer">
<button type="submit" class="btn btn-default">Export</button>
<button class="btn btn-link" data-dismiss="modal" aria-hidden="true">Cancel</button>
</div>
</form>
</div>
</div>
</div>
<!-- Modal to import default framework -->
<div class="modal" id="importModal_[% framework.frameworkcode %][% frameworks.count %]" tabindex="-1" role="dialog" aria-labelledby="importLabelexportModal_default[% frameworks.count %]" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="closebtn" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="importLabelexportModal_[% framework.frameworkcode %][% frameworks.count %]">Import default framework structure (fields and subfields) from a spreadsheet file (.csv, .xml, .ods)</h>
</div>
<form action="/cgi-bin/koha/admin/import_export_framework.pl" name="form_i_default" id="form_i_default" method="post" enctype="multipart/form-data" class="form_import">
<div class="modal-body">
<input type="hidden" name="frameworkcode" value="default" />
<input type="hidden" name="action" value="import" />
<p><label for="file_import_default">Upload file:</label> <input type="file" name="file_import_default" id="file_import_default" class="input_import" /></p>
<div id="importing_default" style="display:none" class="importing"><img src="[% interface %]/[% theme %]/img/spinner-small.gif" alt="" /><span class="importing_msg"></span></div>
</div>
<div class="modal-footer">
<button type="submit" class="btn btn-default">Import</button>
<button class="btn btn-link" data-dismiss="modal" aria-hidden="true">Close</button>
</div>
</form>
</div>
</div>
</div>
</div>
</td>
</tr>
[% FOREACH loo IN frameworks %]
<tr>
<td>[% loo.frameworkcode %]</td>
<td>[% loo.frameworktext |html %]</td>
<td>
<div class="dropdown">
<a class="btn btn-default btn-xs dropdown-toggle" id="frameworkactions[% loo.frameworkcode %]" role="button" data-toggle="dropdown" href="#">
Actions <b class="caret"></b>
</a>
<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="frameworkactions[% loo.frameworkcode %]">
<li><a href="marctagstructure.pl?frameworkcode=[% loo.frameworkcode %]"><i class="fa fa-eye"></i> MARC structure</a></li>
<li><a href="/cgi-bin/koha/admin/biblio_framework.pl?op=add_form&amp;frameworkcode=[% loo.frameworkcode |html %]"><i class="fa fa-pencil"></i> Edit</a></li>
<li><a href="/cgi-bin/koha/admin/biblio_framework.pl?op=delete_confirm&amp;frameworkcode=[% loo.frameworkcode |html %]"><i class="fa fa-trash"></i> Delete</a></li>
<!-- Trigger modal -->
<li><a href="#" data-toggle="modal" data-target="#exportModal_[% loo.frameworkcode %][% loop.count %]" title="Export framework structure (fields, subfields) to a spreadsheet file (.csv, .xml, .ods)"><i class="fa fa-upload"></i> Export</a></li>
<!-- Trigger modal -->
<li><a href="#" data-toggle="modal" data-target="#importModal_[% loo.frameworkcode %][% loop.count %]" title="Import framework structure (fields, subfields) from a spreadsheet file (.csv, .xml, .ods)"><i class="fa fa-download"></i> Import</a></li>
</ul>
<!-- Modal to export other framework -->
<div class="modal" id="exportModal_[% loo.frameworkcode %][% loop.count %]" tabindex="-1" role="dialog" aria-labelledby="exportLabelexportModal_[% loo.frameworkcode %][% loop.count %]" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="closebtn" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="exportLabelexportModal_[% loo.frameworkcode %][% loop.count %]">Export [% loo.frameworktext |html %] framework</h3>
</div>
<form action="import_export_framework.pl" name="form_[% loo.frameworkcode %]" method="get" target="_blank" class="form_export">
<div class="modal-body">
<fieldset>
<input type="hidden" name="frameworkcode" value="[% loo.frameworkcode %]" />
<p><label for="csv_type_export_[% loo.frameworkcode %][% loop.count %]"><input type="radio" name="type_export_[% loo.frameworkcode %]" value="csv" id="csv_type_export_[% loo.frameworkcode %][% loop.count %]" checked="checked" /> Export to CSV spreadsheet</label></p>
<p><label for="xml_type_export_[% loo.frameworkcode %][% loop.count %]"><input type="radio" name="type_export_[% loo.frameworkcode %]" value="excel" id="xml_type_export_[% loo.frameworkcode %][% loop.count %]" /> Export to Excel with XML format, compatible with OpenOffice/LibreOffice as well</label></p>
<p><label for="ods_type_export_[% loo.frameworkcode %][% loop.count %]"><input type="radio" name="type_export_[% loo.frameworkcode %]" value="ods" id="ods_type_export_[% loo.frameworkcode %][% loop.count %]" /> Export to OpenDocument spreadsheet format</label></p>
</fieldset>
</div>
<div class="modal-footer">
<button type="submit" class="btn btn-default">Export</button>
<button class="btn btn-link" data-dismiss="modal" aria-hidden="true">Cancel</button>
</div>
</form>
</div>
</div>
</div>
<!-- Modal to import other framework -->
<div class="modal" id="importModal_[% loo.frameworkcode %][% loop.count %]" tabindex="-1" role="dialog" aria-labelledby="importLabelexportModal_[% loo.frameworkcode %][% loop.count %]" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="closebtn" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="importLabelexportModal_[% loo.frameworkcode %][% loop.count %]">Import [% loo.frameworkcode %] framework structure (fields and subfields) from a spreadsheet file (.csv, .xml, .ods)</h3>
</div>
<form action="/cgi-bin/koha/admin/import_export_framework.pl" name="form_i_[% loo.frameworkcode %]" id="form_i_[% loo.frameworkcode %]" method="post" enctype="multipart/form-data" class="form_import">
<div class="modal-body">
<input type="hidden" name="frameworkcode" value="[% loo.frameworkcode %]" />
<input type="hidden" name="action" value="import" />
<p><label for="file_import_[% loo.frameworkcode %]">Upload file:</label> <input type="file" name="file_import_[% loo.frameworkcode %]" id="file_import_[% loo.frameworkcode %]" class="input_import" /></p>
<div id="importing_[% loo.frameworkcode %]" style="display:none" class="importing"><img src="[% interface %]/[% theme %]/img/spinner-small.gif" alt="" /><span class="importing_msg"></span></div>
</div>
<div class="modal-footer">
<button type="submit" class="btn btn-default">Import</button>
<button class="btn btn-link" data-dismiss="modal" aria-hidden="true">Close</button>
</div>
</form>
</div>
</div>
</div>
</div>
</td>
</tr>
[% END %]
</table>
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'admin-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]