Chris Cormack
4e817ee04c
To test 1/ Hit a url like http://localhost:8080/cgi-bin/koha/opac-sendshelf.pl?email=%3Cscript%3Ealert(%27XSS%27)%3C%2Fscript%3Ezz%40zz&comment=tes&shelfid=4 2/ Notice you get a js alert 3/ Apply patch 4/ Notice the js is now escaped Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
58 lines
3.2 KiB
Text
58 lines
3.2 KiB
Text
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog › Sending your list</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
[% BLOCK cssinclude %][% END %]
|
|
</head>
|
|
[% INCLUDE 'bodytag.inc' bodyid='sendshelf' bodyclass='popup' %]
|
|
<div class="main">
|
|
<div class="container-fluid">
|
|
<div class="row-fluid">
|
|
<div class="span12">
|
|
<div id="usersendshelfform">
|
|
[% IF ( email ) %]
|
|
[% IF ( SENT ) %]
|
|
<h1>Message sent</h1>
|
|
<div class="alert alert-success">
|
|
<p>The list was sent to: [% email | html %]</p>
|
|
</div>
|
|
<p><a class="focus close" href="/cgi-bin/koha/opac-shelves.pl?op=view&shelfnumber=[% shelfid %]">Back to lists</a></p>
|
|
[% END %]
|
|
[% IF ( error ) %]
|
|
<div class="alert">
|
|
<p>There was an error sending the list.</p>
|
|
</div>
|
|
[% END %]
|
|
[% ELSE %]
|
|
[% IF ( invalidlist ) %]
|
|
<div class="alert">
|
|
<p>You do not have permission to send this list.</p>
|
|
</div>
|
|
<p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl?op=view&shelfnumber=[% shelfid %]">Back to lists</a></p>
|
|
[% ELSE %]
|
|
<h1>Sending your list</h1>
|
|
<form action="/cgi-bin/koha/opac-sendshelf.pl" method="post" id="sendshelfform">
|
|
<fieldset>
|
|
<label for="email">Email address:</label>
|
|
<input type="text" id="email" name="email" size="43" class="focus" />
|
|
|
|
<label for="comment">Comment:</label>
|
|
<textarea id="comment" name="comment" rows="4" cols="40"></textarea>
|
|
|
|
<input type="hidden" name="shelfid" value="[% shelfid %]" />
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<input type="submit" value="Send" class="btn" />
|
|
<a class="cancel close" href="/cgi-bin/koha/opac-shelves.pl?op=view&shelfnumber=[% shelfid %]">Cancel</a>
|
|
</fieldset>
|
|
</form>
|
|
|
|
[% END # / IF invalidlist %]
|
|
[% END # / IF email %]
|
|
</div> <!-- / #usersendshelfform -->
|
|
</div> <!-- / .span12 -->
|
|
</div> <!-- / .row-fluid -->
|
|
</div> <!-- / .container-fluid -->
|
|
</div> <!-- / .main -->
|
|
|
|
[% INCLUDE 'opac-bottom.inc' is_popup=1 %]
|
|
[% BLOCK jsinclude %][% END %]
|