Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/tools/modborrowers.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

431 lines
24 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE Koha %]
[% USE KohaDates %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Tools &rsaquo; Batch patron modification</title>
[% INCLUDE 'doc-head-close.inc' %]
[% Asset.css("css/datatables.css") | $raw %]
</head>
<body id="tools_modborrowers" class="tools">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo;
<a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a> &rsaquo;
<a href="/cgi-bin/koha/tools/modborrowers.pl">Batch patron modification</a>
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF ( op == 'show_form' ) %]
<h1>Batch patron modification</h1>
<form method="post" enctype="multipart/form-data" action="/cgi-bin/koha/tools/modborrowers.pl">
<fieldset class="rows">
<legend>Use a file</legend>
<ol>
<li><label for="uploadfile">File: </label> <input type="file" id="uploadfile" name="uploadfile" /></li>
</ol>
</fieldset>
[% IF patron_lists %]
<fieldset class="rows">
<legend>Or use a patron list</legend>
<ol>
<li>
<label for="patron_list_id">Patron list: </label>
<select id="patron_list_id" name="patron_list_id">
<option value=""></option>
[% FOREACH pl IN patron_lists %]
<option value="[% pl.patron_list_id | html %]">[% pl.name | html %]</option>
[% END %]
</select>
</li>
</ol>
</fieldset>
[% END %]
<fieldset class="rows">
<legend>Or list cardnumbers one by one</legend>
<ol>
<li>
<label for="cardnumberlist">Card number list (one cardnumber per line): </label>
<textarea rows="10" cols="30" id="cardnumberlist" name="cardnumberlist">[% cardnumberlist | html %]</textarea>
</li>
</ol>
</fieldset>
<input type="hidden" name="op" value="show" />
<fieldset class="action">
<input type="submit" value="Continue" class="button" />
<a class="cancel" href="/cgi-bin/koha/tools/tools-home.pl">Cancel</a>
</fieldset>
</form>
[% END %]
[% IF ( op == 'show') && (!borrowers) && (!notfoundcardnumbers) # Alert if no patrons given%]
[% op = 'noshow' # Change op to prevent display in code below | html %]
<h1>Batch patrons modification</h1>
<div class="dialog alert">
<p>No patron card numbers given.</p>
<form action="/cgi-bin/koha/tools/modborrowers.pl" method="get">
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> OK</button>
</form>
</div>
[% END #Alert if no patrons %]
[% IF ( op == 'show' or op == 'show_results' ) %]
[% IF ( op == 'show' ) %]
<h1>Batch patrons modification</h1>
[% ELSE %]
<h1>Batch patrons results</h1>
[% END %]
[% IF ( notfoundcardnumbers ) %]
<div class="dialog alert"><p>Warning, the following cardnumbers were not found:</p></div>
<table style="margin:auto;">
<thead>
<tr><th>Cardnumbers not found</th></tr>
</thead>
<tbody>
[% FOREACH notfoundcardnumber IN notfoundcardnumbers %]
<tr><td>[% notfoundcardnumber.cardnumber | html %]</td></tr>
[% END %]
</tbody>
</table>
[% END %]
[% IF ( op == 'show_results' ) %]
[% IF ( errors ) %]
<div class="dialog alert">
<h4>Errors occurred:</h4>
<ul class="warnings">
[% FOREACH error IN errors %]
[% IF ( error.error == 'can_not_update' ) %]
<li>Can not update patron.
[% IF ( error.cardnumber ) %] Cardnumber: [% error.cardnumber | html %] [% END %]
(Borrowernumber: [% error.borrowernumber | html %])
</li>
[% ELSE %]
<li>[% error.error | html %]</li>
[% END %]
[% END %]
</ul>
</div>
[% END %]
[% END %]
[% IF ( op == 'show' ) %]
<form name="f" action="modborrowers.pl" method="post">
<input type="hidden" name="op" value="do" />
[% IF ( borrowers ) %]
<div id="toolbar"><a id="selectallbutton" href="#"><i class="fa fa-check"></i> Select all</a> | <a id="clearallbutton" href="#"><i class="fa fa-remove"></i> Clear all</a></div>
[% END %]
[% END %]
[% IF borrowers %]
<div id="cataloguing_additem_itemlist">
<div style="overflow:auto">
<table id="borrowerst">
<thead>
<tr>
[% IF ( op == 'show' ) %]
<th>&nbsp;</th>
[% END %]
<th>Card number</th>
<th>Surname</th>
<th>First name</th>
<th>Library</th>
<th>Category</th>
<th>City</th>
<th>State</th>
<th>ZIP/Postal code</th>
<th>Country</th>
<th class="title-string">Registration date</th>
<th class="title-string">Expiry date</th>
<th>Circulation note</th>
<th>Opac Note</th>
[% FOREACH attrh IN attributes_header %]
<th>[% attrh.attribute | html %]</th>
[% END %]
</tr>
</thead>
<tbody>
[% FOREACH borrower IN borrowers %]
<tr>
[% IF ( op == 'show' ) %]
<td><input type="checkbox" name="borrowernumber" value="[% borrower.borrowernumber | html %]" checked="checked" /></td>
[% END %]
<td><a href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrower.borrowernumber | html %]">[% borrower.cardnumber | html %]</a></td>
<td>[% borrower.surname | html %]</td>
<td>[% borrower.firstname | html %]</td>
<td>[% Branches.GetName( borrower.branchcode ) | html %]</td>
<td>[% borrower.category_description | html %]</td>
<td>[% borrower.city | html %]</td>
<td>[% borrower.state | html %]</td>
<td>[% borrower.zipcode | html %]</td>
<td>[% borrower.country | html %]</td>
<td><span title="[% borrower.dateenrolled | html %]">[% borrower.dateenrolled | $KohaDates %]</span></td>
<td><span title="[% borrower.dateexpiry | html %]">[% borrower.dateexpiry | $KohaDates %]</span></td>
<td>[% borrower.borrowernotes | html %]</td>
<td>[% borrower.opacnote | html %]</td>
[% FOREACH pa IN borrower.patron_attributes %]
[% IF ( pa.code ) %]
<td>[% pa.code | html %]=[% pa.value | html %]</td>
[% ELSE %]
<td></td>
[% END %]
[% END %]
</tr>
[% END %]
</tbody>
</table>
</div>
</div>
[% IF ( op == 'show' ) %]
<div id="cataloguing_additem_newitem">
<h2>Edit patrons</h2>
<div class="hint">Checking the box right next to the label will disable the entry and delete the values of that field on all selected patrons</div>
<fieldset class="rows" id="fields_list">
<ol>
[% FOREACH field IN fields %]
<li>
[% IF ( field.mandatory ) %]
<label for="[% field.name | html %]" class="required">
[% ELSE %]
<label for="[% field.name | html %]">
[% END %]
[% SWITCH ( field.name ) %]
[% CASE 'surname' %]
Surname:
[% CASE 'firstname' %]
First name:
[% CASE 'branchcode' %]
Library:
[% CASE 'categorycode' %]
Category
[% CASE 'city' %]
City
[% CASE 'state' %]
State
[% CASE 'zipcode' %]
ZIP/Postal code
[% CASE 'country' %]
Country
[% CASE 'sort1' %]
Sort 1:
[% CASE 'sort2' %]
Sort 2:
[% CASE 'dateenrolled' %]
Registration date:
[% CASE 'dateexpiry' %]
Expiry date:
[% CASE 'borrowernotes' %]
Circulation note:
[% CASE 'opacnote' %]
OPAC note:
[% END %]
</label>
[% IF ( field.type == 'text' ) %]
<input type="text" name="[% field.name | html %]" value="" />
[% END %]
[% IF ( field.type == 'select' ) %]
[% IF field.option.size %]
<select name="[% field.name | html %]" >
[% FOREACH opt IN field.option %]
<option value="[% opt.value | html %]">[% opt.lib | html %]</option>
[% END %]
</select>
[% ELSE %]
There is no value defined for [% field.name | html %]
[% END %]
[% END %]
[% IF ( field.type == 'date' ) %]
<input type="text" name="[% field.name | html %]" id="[% field.name | html %]" value="" size="10" maxlength="10" class="datepicker" />
<a href="#" class="clear-date" id="clear-date-[% field.name | html %]" ><i class="fa fa-fw fa-trash"></i> Clear</a>
[% END %]
[% IF field.mandatory %]
<input type="checkbox" title="This field is mandatory" name="disable_input" value="[% field.name | html %]" disabled="disabled" readonly="readonly" />
<span class="required">Required fields cannot be cleared</span>
[% ELSE %]
<input type="checkbox" title="Check to delete this field" name="disable_input" value="[% field.name | html %]" />
[% END %]
</li>
[% END %]
[% IF ( patron_attributes_codes ) %]
<li class="attributes">
<label style="width:auto;">Attribute:
<select name="patron_attributes">
<option value=""></option>
[% FOREACH pac IN patron_attributes_codes %]
<option value="[% pac.attribute_code | html %]" data-type="[% pac.type | html %]" data-category="[% pac.category_lib | html %]">[% pac.attribute_lib | html %]</option>
[% END %]
</select>
</label>
<input type="checkbox" title="check to delete this field" name="disable_input" value="attr0_value" />
<span class="patron_attributes_value"></span>
<a href="#" class="add_attributes" title="Add an attribute"><i class="fa fa-fw fa-plus"></i> New</a>
<span class="information_category hint" style="width:25%;float:right;"></span>
</li>
[% END %]
</ol>
</fieldset>
<fieldset class="action">
<input type="submit" name="mainformsubmit" value="Save" />
<a href="/cgi-bin/koha/tools/modborrowers.pl" class="cancel">Cancel</a>
</fieldset>
</div>
</form>
[% END %]
[% END %]
[% END %]
[% IF ( op == 'show_results' ) %]
<p>
<a href="/cgi-bin/koha/tools/modborrowers.pl" title="New batch patrons modification">New batch patron modification</a>
</p>
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'tools-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% INCLUDE 'calendar.inc' %]
[% INCLUDE 'datatables.inc' %]
[% Asset.js("js/tools-menu.js") | $raw %]
<script type="text/javascript">
var patron_attributes_lib = new Array();
var patron_attributes_values = new Array();
$(document).ready(function() {
[% IF borrowers %]
$("#borrowerst").dataTable($.extend(true, {}, dataTablesDefaults, {
"sDom": 't',
[% IF ( op == 'show_results' ) %]
"aoColumnDefs": [
{ 'sType': "title-string", 'aTargets' : [ 'title-string'] }
],
[% ELSE %]
"aoColumnDefs": [
{ "aTargets": [ 0 ], "bSortable": false, "bSearchable": false },
{ 'sType': "title-string", 'aTargets' : [ 'title-string'] }
],
[% END %]
"bPaginate": false
}));
$("#selectallbutton").click(function() {
$("#borrowerst").find("input:checkbox").each(function() {
$(this).prop("checked", true);
});
return false;
});
$("#clearallbutton").click(function() {
$("#borrowerst").find("input:checkbox").each(function() {
$(this).prop("checked", false);
});
return false;
});
[% END %]
var values = new Array();
var lib = new Array();
[% FOREACH pav IN patron_attributes_values %]
values = new Array();
lib = new Array();
[% FOREACH option IN pav.options %]
values.push("[% option.lib | html %]");
lib.push("[% option.authorised_value | html %]");
[% END %]
patron_attributes_lib["[% pav.attribute_code | html %]"] = values;
patron_attributes_values["[% pav.attribute_code | html %]"] = lib;
[% END %]
$('select[name="patron_attributes"]').change(function() {
updateAttrValues(this);
} );
$('select[name="patron_attributes"]').change();
$(".clear-date").on("click",function(e){
e.preventDefault();
var fieldID = this.id.replace("clear-date-","");
$("#" + fieldID).val("");
});
$("#cataloguing_additem_newitem").on("click",".add_attributes",function(e){
e.preventDefault();
add_attributes();
});
$("#cataloguing_additem_newitem").on("click",".del_attributes",function(e){
e.preventDefault();
del_attributes(this);
});
});
function updateAttrValues (select_attr) {
var attr_code = $(select_attr).val();
var selected_option = $(select_attr).find("option:selected");
var type = $(selected_option).attr('data-type');
var category = $(selected_option).attr('data-category');
var li_node = $(select_attr).parent().parent();
var span = $(li_node).find('span.patron_attributes_value');
var information_category_node = $(li_node).find('span.information_category');
information_category_node.html("");
if ( category && category.length > 0 ) {
information_category_node.html(_("This attribute will be only applied to the patron's category %s").format(category));
}
var disable_input_node = $(li_node).find("input:checkbox[name='disable_input']");
if ( type == 'select' ) {
var options = '<option value = ""></option>';
for ( var i = 0 ; i < patron_attributes_values[attr_code].length ; i++ ) {
options += '<option value="'+patron_attributes_values[attr_code][i]+'">'+patron_attributes_lib[attr_code][i]+'</option>';
}
span.html('<select name="patron_attributes_value">' + options + '</select>');
$(disable_input_node).show();
} else if ( $(selected_option).val() != "" ) {
span.html('<input type="text" name="patron_attributes_value"/>');
$(disable_input_node).show();
} else {
span.html('');
$(disable_input_node).hide();
}
}
function add_attributes() {
var li_node = $("li.attributes:last");
var li_clone = $(li_node).clone();
if ( $(li_clone).find("a.del_attributes").length == 0 ) {
$(li_clone).append('<a href="#" title="' + _("Delete") + '" class="del_attributes"><i class="fa fa-fw fa-trash"></i> ' + _("Delete") + '</a>');
}
$(li_clone).find('select[name="patron_attributes"]').change(function() {
updateAttrValues(this);
} );
$(li_clone).find('select[name="patron_attributes"]').change();
$("#fields_list>ol").append(li_clone);
update_attr_values();
}
function del_attributes(a_node) {
$(a_node).parent('li').remove();
update_attr_values();
}
function update_attr_values() {
$("li.attributes").each(function(i) {
$(this).find("input:checkbox").val("attr"+i+"_value");
});
}
function clearDate(nodeid) {
$("#"+nodeid).val("");
}
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink