Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

196 lines
8.5 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% PROCESS 'permissions.inc' %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patrons &rsaquo; Set permissions for [% patron.surname | html %], [% patron.firstname | html %]</title>
[% Asset.css("css/treeview/jquery.treeview.css") | $raw %]
[% INCLUDE 'doc-head-close.inc' %]
</head>
<body id="pat_member-flags" class="pat">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'patron-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a> &rsaquo; Set permissions for [% patron.surname | html %], [% patron.firstname | html %]</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% INCLUDE 'members-toolbar.inc' %]
<form method="post" action="/cgi-bin/koha/members/member-flags.pl">
<input type="hidden" name="csrf_token" value="[% csrf_token | html %]" />
<input type="hidden" name="member" id="borrowernumber" value="[% patron.borrowernumber | html %]" />
<input type="hidden" name="newflags" value="1" />
<h1>Set permissions for [% patron.surname | html %], [% patron.firstname | html %]</h1>
<!-- <ul id="permissionstree"><li class="root">All privileges<ul> -->
<ul id="permissionstree" class="treeview-grey">
<!-- <li class="folder-close">One level down<ul> -->
[% FOREACH loo IN loop %]
[% IF ( loo.expand ) %]
<li class="open">
[% ELSE %]
<li>
[% END %]
[% IF ( loo.checked ) %]
[% IF disable_superlibrarian_privs && loo.bit == 0 %]
<input type="checkbox" disabled="disabled" class="flag parent superlib" id="flag-[% loo.bit | html %]_disabled" name="flag" value="[% loo.flag | html %]" checked="checked" title="The system preference ProtectSuperlibrarianPrivileges is enabled" />
<input type="hidden" id="flag-[% loo.bit | html %]" name="flag" value="[% loo.flag | html %]" >
[% ELSE %]
<input type="checkbox" class="flag parent" id="flag-[% loo.bit | html %]" name="flag" value="[% loo.flag | html %]" checked="checked" />
[% END %]
[% ELSE %]
[% IF disable_superlibrarian_privs && loo.bit == 0 %]
<input type="checkbox" disabled="disabled" class="flag parent" id="flag-[% loo.bit | html %]_disabled" name="flag" value="[% loo.flag | html %]" title="The system preference ProtectSuperlibrarianPrivileges is enabled" />
[% ELSE %]
<input type="checkbox" class="flag parent" id="flag-[% loo.bit | html %]" name="flag" value="[% loo.flag | html %]" />
[% END %]
[% END %]
<label class="permissioncode" for="flag-[% loo.bit | html %]">[% loo.flag | html %]</label>
<span class="permissiondesc">[% PROCESS main_permissions name=loo.flag %]</span>
[% IF ( loo.sub_perm_loop ) %]
<ul id="flag-[% loo.bit | html %]-children">
[% FOREACH sub_perm_loo IN loo.sub_perm_loop %]
<li>
[% IF ( sub_perm_loo.checked ) %]
<input type="checkbox" class="flag child" id="[% sub_perm_loo.id | html %]" name="flag" value="[% sub_perm_loo.perm | html %]" checked="checked" />
[% ELSE %]
<input type="checkbox" class="flag child" id="[% sub_perm_loo.id | html %]" name="flag" value="[% sub_perm_loo.perm | html %]" />
[% END %]
<label class="permissioncode" for="[% sub_perm_loo.id | html %]">[% sub_perm_loo.code | html %]</label>
<span class="permissiondesc">[% PROCESS sub_permissions name=sub_perm_loo.code %]</span>
</li>
[% END %]
</ul>
</li>
[% ELSE %]
</li>
[% END %]
[% END %]
<!-- </ul></li> -->
<!-- </ul></li></ul> -->
</ul>
<fieldset class="action"><input type="submit" value="Save" /> <a class="cancel" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% patron.borrowernumber | html %]">Cancel</a></fieldset>
</form>
</div>
</div>
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% INCLUDE 'str/members-menu.inc' %]
[% Asset.js("js/members-menu.js") | $raw %]
[% Asset.js("lib/jquery/plugins/jquery.treeview.pack.js") | $raw %]
<!-- set up tree -->
<script type="text/javascript">
$(document).ready(function() {
$("#permissionstree").treeview({animated: "fast", collapsed: true});
// Enforce Superlibrarian Privilege Mutual Exclusivity
if( $('input[id="flag-0"]:checked').length || $(".superlib:checked").length ){
if ($('input[name="flag"]:checked').length > 1){
alert(_("Inconsistency detected! The superlibrarian privilege is mutually exclusive of other privileges, as it includes them all. This patron's privileges will now be reset to include only superlibrarian."));
}
$('input[name="flag"]').each(function() {
if($(this).attr('id') != "flag-0" && !$(this).hasClass('superlib') ){
$(this).prop('disabled', true);
$(this).prop('checked', false);
}
});
}
$('input#flag-0').click(function() {
if( $('input[id="flag-0"]:checked').length || $(".superlib:checked").length ){
$('input[name="flag"]').each(function() {
if($(this).attr('id') != "flag-0" && !$(this).hasClass('superlib') ){
$(this).prop('disabled', true);
$(this).prop('checked', false);
}
});
}
else {
$('input[name="flag"]').each(function() {
$(this).prop('disabled', false);
});
}
});
$(".flag").on("change",function(){
if( $(this).hasClass("parent") ){
toggleChildren(this);
} else {
toggleParent(this);
}
});
});
// manage checking/unchecking parent permissions
var originalChildStates = {}; /* keep track of subpermission checkbox values
so that user can recover from accidentally
toggling a parent/module permission */
function selectChildren(parentInput) {
var childListId = parentInput.id + '-children';
var list = document.getElementById(childListId);
var children = [];
if (list) {
var inputs = list.getElementsByTagName('input');
for (var i = 0; i < inputs.length; i++) {
if (inputs[i].type == 'checkbox') {
children.push(inputs[i]);
}
}
}
return children;
}
function toggleChildren(parentInput) {
var children = selectChildren(parentInput);
if (children.length == 0) {
return;
}
var checked = parentInput.checked;
if (checked && parentInput.parentNode.className == 'expandable') {
/* expand the tree */
$(".hitarea", parentInput.parentNode).click();
}
for (var i = 0; i < children.length; i++) {
if (checked) {
originalChildStates[children[i].id] = children[i].checked;
children[i].checked = checked;
} else {
if (children[i].id in originalChildStates) {
children[i].checked = originalChildStates[children[i].id];
} else {
children[i].checked = checked;
}
}
}
}
function toggleParent(childInput) {
originalChildStates[childInput.id] = childInput.checked;
if (childInput.checked) {
return;
}
var parentId = childInput.parentNode.parentNode.id.replace(/-children$/, '');;
var parentInput = document.getElementById(parentId);
if (parentInput) {
parentInput.checked = false;
}
}
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink