Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-suggestions.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

358 lines
24 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE Koha %]
[% USE Branches %]
[% USE AuthorisedValues %]
[% USE KohaDates %]
[% INCLUDE 'doc-head-open.inc' %]
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle | html %][% ELSE %]Koha online[% END %] catalog &rsaquo;
[% IF ( op_add ) %]Enter a new purchase suggestion[% END %]
[% IF ( op_else ) %]Purchase Suggestions[% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %][% END %]
</head>
[% IF ( loggedinusername ) %][% INCLUDE 'bodytag.inc' bodyid='opac-usersuggestions' bodyclass='scrollto' %][% ELSE %][% INCLUDE 'bodytag.inc' bodyid='opac-suggestions' bodyclass='scrollto' %][% END %]
[% INCLUDE 'masthead.inc' %]
<div class="main">
<ul class="breadcrumb">
<li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
<li><a href="/cgi-bin/koha/opac-user.pl">[% INCLUDE 'patron-title.inc' patron = logged_in_user %]</a> <span class="divider">&rsaquo;</span></li>
<li><a href="#">Your purchase suggestions</a></li>
</ul>
<div class="container-fluid">
<div class="row-fluid">
<div class="span2">
<div id="navigation">
[% INCLUDE 'navigation.inc' IsPatronPage=1 %]
</div>
</div>
<div class="span10">
<div id="usersuggestions" class="maincontent">
[% IF ( op_add ) %]
[% IF ( Koha.Preference('MaxOpenSuggestions') != '' && patrons_pending_suggestions_count >= Koha.Preference('MaxOpenSuggestions') ) %]
<h1 class="TooManySuggestions">You cannot place any more suggestions</h1>
<h2 class="TooManySuggestionsText">You have reached your limit of suggestions you can place at this time ([% Koha.Preference('MaxOpenSuggestions') | html %]). Once the library has processed those suggestions you will be able to place more.</h2>
[% ELSE %]
<h1>Enter a new purchase suggestion</h1>
<p>Please fill out this form to make a purchase suggestion. You will receive an email when the library processes your suggestion.</p>
<p>Only certain fields (marked in red) are required, but the more information you enter the easier it will be for the librarians to find the title you're requesting. The "Notes" field can be used to provide any additional information.</p>
<form action="/cgi-bin/koha/opac-suggestions.pl" method="post" id="add_suggestion_form">
<fieldset class="rows">
<ol>
<li><label for="title">Title:</label><input type="text" id="title" name="title" class="span6" maxlength="255" /></li>
<li><label for="author">Author:</label><input type="text" id="author" name="author" class="span6" maxlength="80" /></li>
<li>
<div title="Copyright or publication year, for example: 2016">
<label for="copyrightdate">Copyright date:</label><input type="text" id="copyrightdate" name="copyrightdate" pattern="[12]\d{3}" size="4" maxlength="4" />
</div>
</li>
<li><label for="isbn">Standard number (ISBN, ISSN or other):</label><input type="text" id="isbn" name="isbn" maxlength="80" /></li>
<li><label for="publishercode">Publisher:</label><input type="text" id="publishercode" name="publishercode" class="span6" maxlength="80" /></li>
<li><label for="collectiontitle">Collection title:</label><input type="text" id="collectiontitle" name="collectiontitle" class="span6" maxlength="80" /></li>
<li><label for="place">Publication place:</label><input type="text" id="place" name="place" maxlength="80" /></li>
<li id="opac-suggestion-quantity"><label for="quantity">Quantity:</label><input type="text" id="quantity" name="quantity" maxlength="4" size="4" /></li>
<li><label for="itemtype">Item type:</label>
[% PROCESS 'av-build-dropbox.inc' name="itemtype", category="SUGGEST_FORMAT", size = 20 %]
</li>
[% IF branchcode %]
<li><label for="branch">Library:</label>
<select name="branchcode" id="branch">
[% PROCESS options_for_libraries libraries => Branches.all( selected => branchcode ) %]
</select>
</li>
[% END %]
[% IF ( patron_reason_loop ) %]
<li>
<label for="patronreason">Reason for suggestion: </label>
<select name="patronreason" id="patronreason">
<option value="">-- Choose --</option>
[% FOREACH patron_reason_loo IN patron_reason_loop %]
<option value="[% patron_reason_loo.authorised_value | html %]">[% patron_reason_loo.lib | html %]</option>
[% END %]
</select>
</li>
[% END %]
<li>
<label for="note">Notes:</label>
<textarea name="note" id="note" rows="5" cols="40"></textarea>
</li>
<!-- Add a hidden 'negcap' field -->
<li id="negcap" style="position: absolute; left: -2000px;">
negcap <input type="text" name="negcap"/>
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="hidden" name="suggested_by_anyone" value="[% suggested_by_anyone | html %]" />
<input type="hidden" name="op" value="add_confirm" />
<input type="submit" class="btn" value="Submit your suggestion" /> <a class="action" href="/cgi-bin/koha/opac-suggestions.pl">Cancel</a>
</fieldset>
</form>
[% END %]
[% END # IF op_add %]
[% IF ( op_else ) %]
<h1>
[% IF Koha.Preference( 'OPACViewOthersSuggestions' ) == 1 %]
Purchase suggestions
[% ELSE %]
[% IF ( loggedinusername ) %]
Your purchase suggestions
[% ELSE %]
Purchase suggestions
[% END %]
[% END %]
</h1>
[% FOR m IN messages %]
<div class="alert alert-[% m.type | html %]">
[% SWITCH m.code %]
[% CASE 'too_many' %]
The suggestion has not been added. You have reached your limit of suggestions you can place at this time ([% Koha.Preference('MaxOpenSuggestions') | html %]). Once the library has processed those suggestions you will be able to place more.
[% CASE 'already_exists' %]
The suggestion has not been added. A suggestion with this title already exists.
[% CASE 'success_on_inserted' %]
Your suggestion has been submitted.
[% CASE %]
[% m.code | html %]
[% END %]
</div>
[% END %]
[% IF ( deleted ) %]<div class="alert alert-info">The selected suggestions have been deleted.</div>[% END %]
[% IF ( suggestions_loop ) %]
<form action="/cgi-bin/koha/opac-suggestions.pl" class="form-inline" method="get">
<fieldset>
<label for="title">Search for:</label>
<input type="text" name="title" id="title" value="[% title | html %]" />
[% IF Koha.Preference( 'OPACViewOthersSuggestions' ) == 1 %]
[% IF loggedinusername %]
<label for="suggested_by_anyone">Suggested by:</label>
<div class="input-append">
<select name="suggested_by_anyone" id="suggested_by_anyone">
[% IF suggested_by_anyone %]
<option value="0">Me</option>
<option value="1" selected="selected">Anyone</option>
[% ELSE %]
<option value="0" selected="selected">Me</option>
<option value="1">Anyone</option>
[% END %]
</select>
<button type="submit" class="btn">Go</button>
</div>
[% END %]
[% END %]
</fieldset>
</form>
<form action="/cgi-bin/koha/opac-suggestions.pl" method="post" id="myform">
<input type="hidden" name="op" value="delete_confirm" />
[% IF ( loggedinusername || ( Koha.Preference( 'AnonSuggestions' ) == 1 ) ) %]
<div id="toolbar" class="toolbar clearfix">
[% IF ( Koha.Preference('MaxOpenSuggestions') != '' && patrons_pending_suggestions_count >= Koha.Preference('MaxOpenSuggestions') ) %]
<p class="TooManySuggestionsText">You have reached your limit of suggestions you can place at this time ([% Koha.Preference('MaxOpenSuggestions') | html %]).</br>Once the library has processed those suggestions you will be able to place more.</p>
[% ELSE %]
<a class="new" href="/cgi-bin/koha/opac-suggestions.pl?op=add">New purchase suggestion</a>
[% END %]
</div>
[% END %]
[% IF ( loggedinusername ) %]
<div id="selections-toolbar" class="toolbar">
<span class="checkall"></span> <span class="clearall"></span> <span class="sep">|</span>
<span class="links"><span id="selections">Select suggestions to: </span>
<span id="removeitems"></span>
</div>
[% END %]
<table id="suggestt" class="checkboxed table table-bordered table-striped">
<thead>
<tr>
[% IF ( loggedinusername ) %]<th>&nbsp;</th>[% END %]
<th>Summary</th>
<th>Suggested on</th>
<th>Note</th>
[% IF Koha.Preference( 'OPACViewOthersSuggestions' ) == 1 %]<th>Suggested for</th>[% END %]
[% IF Koha.Preference( 'OpacSuggestionManagedBy' ) %]<th>Managed by</th>[% END %]
<th>Status</th>
</tr>
</thead>
<tbody>
[% FOREACH suggestions_loo IN suggestions_loop %]
<tr>
[% IF ( loggedinusername ) %]
<td>
[% IF ( suggestions_loo.showcheckbox ) %]
<input type="checkbox" class="cb" name="delete_field" value="[% suggestions_loo.suggestionid | html %]" />
[% END %]
</td>
[% END %]
<td>
<p><strong>[% suggestions_loo.title | html %]</strong></p>
<p>[% IF ( suggestions_loo.author ) %][% suggestions_loo.author | html %],[% END %]
[% IF ( suggestions_loo.copyrightdate ) %] - [% suggestions_loo.copyrightdate | html %],[% END %]
[% IF ( suggestions_loo.publishercode ) %] - [% suggestions_loo.publishercode | html %][% END %]
[% IF ( suggestions_loo.place ) %]([% suggestions_loo.place | html %])[% END %]
[% IF ( suggestions_loo.collectiontitle ) %] , [% suggestions_loo.collectiontitle | html %][% END %]
[% IF ( suggestions_loo.itemtype ) %] - [% AuthorisedValues.GetByCode( 'SUGGEST_FORMAT', suggestions_loo.itemtype, 1 ) | html %][% END %]
</p>
</td>
<td>
[% IF ( suggestions_loo.suggesteddate ) %][% suggestions_loo.suggesteddate |$KohaDates %][% END %]
</td>
<td>
[% IF ( suggestions_loo.note ) %]
<span class="tdlabel">Note: </span>
[% suggestions_loo.note | html %]
[% END %]
</td>
[% IF Koha.Preference( 'OPACViewOthersSuggestions' ) == 1 %]
<td>
[% IF ( suggestions_loo.branchcodesuggestedby ) %]
<span class="tdlabel">Suggested for:</span>
[% suggestions_loo.branchcodesuggestedby | html %]
[% END %]
</td>
[% END %]
[% IF Koha.Preference( 'OpacSuggestionManagedBy' ) %]
<td>
[% IF ( suggestions_loo.surnamemanagedby ) %]
<span class="tdlabel">Managed by:</span>
[% suggestions_loo.surnamemanagedby | html %]
[% IF ( suggestions_loo.firstnamemanagedby ) %] , [% suggestions_loo.firstnamemanagedby | html %]
[% END %]
[% END %]
</td>
[% END %]
<td>
<span class="tdlabel">Status:</span>
[% IF ( suggestions_loo.ASKED ) %]Requested
[% ELSIF ( suggestions_loo.CHECKED ) %]Checked by the library
[% ELSIF ( suggestions_loo.ACCEPTED ) %]Accepted by the library
[% ELSIF ( suggestions_loo.ORDERED ) %]Ordered by the library
[% ELSIF ( suggestions_loo.REJECTED ) %]Suggestion declined
[% ELSIF ( suggestions_loo.AVAILABLE ) %]Available in the library
[% ELSE %] [% AuthorisedValues.GetByCode( 'SUGGEST_STATUS', suggestions_loo.STATUS, 1 ) | html %] [% END %]
[% IF ( suggestions_loo.reason ) %]([% suggestions_loo.reason | html %])[% END %]
</td>
</tr>
[% END # / FOREACH suggestions_loo %]
</tbody>
</table>
[% IF ( loggedinusername ) %]
<fieldset class="action">
<input type="submit" class="btn btn-danger" value="Delete selected" />
</fieldset>
[% END %]
</form>
[% ELSE %]
[% UNLESS Koha.Preference( 'OPACViewOthersSuggestions' ) or loggedinusername %]
<p>You are not authorized to see pending purchase suggestions.</p>
[% ELSE %]
<p>There are no pending purchase suggestions.</p>
[% END %]
[% IF ( loggedinusername || ( Koha.Preference( 'AnonSuggestions' ) == 1 ) ) %]
[% IF ( Koha.Preference('MaxOpenSuggestions') != '' && patrons_pending_suggestions_count >= Koha.Preference('MaxOpenSuggestions') ) %]
<p class="TooManySuggestionsText">You have reached your limit of suggestions you can place at this time.</br>Once the library has processed those suggestions you will be able to place more.</p>
[% ELSE %]
<p><a class="new" href="/cgi-bin/koha/opac-suggestions.pl?op=add">New purchase suggestion</a></p>
[% END %]
[% END %]
[% END # / IF suggestions_loop %]
[% END # IF op_else %]
</div> <!-- / #usersuggestions -->
</div> <!-- / .span10 -->
</div> <!-- / .row-fluid -->
</div> <!-- / .container-fluid -->
</div> <!-- / .main -->
[% INCLUDE 'opac-bottom.inc' %]
[% BLOCK jsinclude %]
[% Asset.js("lib/jquery/plugins/jquery.checkboxes.min.js") | $raw %]
[% INCLUDE 'datatables.inc' %]
<script>
//<![CDATA[
[% IF ( loggedinusername ) %]
function enableCheckboxActions(){
// Enable/disable controls if checkboxes are checked
var checkedBoxes = $(".checkboxed input:checkbox:checked");
if ($(checkedBoxes).size()) {
$("#selections").html(_("With selected suggestions: "));
$("#selections-toolbar .links a").removeClass("disabled");
} else {
$("#selections").html(_("Select suggestions to: "));
$("#selections-toolbar .links a").addClass("disabled");
}
}
[% END %]
$(function() {
$("#suggestt").dataTable($.extend(true, {}, dataTablesDefaults, {
"order": [[ 1, "asc" ]],
"columnDefs": [
[% IF ( loggedinusername ) %]{ "targets": [ 0 ], "sortable": false, "searchable": false }[% END %]
],
"columns": [
[% IF ( loggedinusername ) %]null,[% END %]
{ "type": "anti-the" },
null,
null,
[% IF Koha.Preference( 'OPACViewOthersSuggestions' ) == 1 %]null,[% END %]
[% IF Koha.Preference( 'OpacSuggestionManagedBy' ) %]null,[% END %]
null
]
}));
[% IF ( loggedinusername ) %]$("span.clearall").html("<a id=\"CheckNone\" href=\"#\">"+_("Clear all")+"<\/a>");
$("span.checkall").html("<a id=\"CheckAll\" href=\"#\">"+_("Select all")+"<\/a>");
$("#CheckAll").click(function(){
$(".checkboxed").checkCheckboxes();
enableCheckboxActions();
return false;
});
$("#CheckNone").click(function(){
$(".checkboxed").unCheckCheckboxes();
enableCheckboxActions();
return false;
});
$(".cb").click(function(){
enableCheckboxActions();
});
$("#removeitems").html("<a href=\"#\" class=\"removeitems tag_hides disabled\">"+_("Delete")+"</a>")
.click(function(e){
e.preventDefault();
$("#myform").submit();
return false;
});
enableCheckboxActions();
$("#myform").on('submit', function() {
if ( $("input:checked").size() < 1 ) {
alert(MSG_NO_SUGGESTION_SELECTED);
return false;
}
return true;
});
[% END %]
[% IF ( op_add && mandatoryfields ) %]
{
var FldsRequired = [[% mandatoryfields | html %]];
for (var i = 0; i < FldsRequired.length; i++) {
var rq_input = $('#' + FldsRequired[i]);
if (rq_input.length != 1) continue;
$(rq_input).attr("required", "required");
var rq_label = $("label[for=" + rq_input.attr("id") + "]");
if (rq_label.length != 1) continue;
$(rq_label).addClass('required');
}
}
[% END %]
});
//]]>
</script>
[% END %]
View git blame Copy permalink