Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/tools/export.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

321 lines
11 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Tools &rsaquo; Export data</title>
[% INCLUDE 'doc-head-close.inc' %]
<style type="text/css">
fieldset.rows fieldset.rows {
width: 90%;
}
</style>
</head>
<body id="tools_export" class="tools">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a> &rsaquo; Export data</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% FOR m IN messages %]
<div class="dialog [% m.type | html %]">
[% SWITCH m.code %]
[% CASE 'invalid_mimetype' %]The file used does not have a valid format. Only csv and txt are allowed.
[% CASE %][% m.code | html %]
[% END %]
</div>
[% END %]
<div id="exporttype" class="toptabs">
<ul>
<li><a href="#bibs">Export bibliographic records</a></li>
<li><a href="#auths">Export authority records</a></li>
[% IF ( allow_db_export ) %]
<li><a href="#db">Export database</a></li>
[% END %]
[% IF ( allow_conf_export ) %]
<li><a href="#conf">Export configuration</a></li>
[% END %]
</ul>
<div id="bibs">
<p>
<b>Note : The items are exported by this tool unless specified.</b>
</p>
<form method="post" enctype="multipart/form-data" action="/cgi-bin/koha/tools/export.pl">
<fieldset class="rows">
<legend> Select records to export </legend>
<ol>
<li>
<label for="start">From biblio number: </label>
<input id="start" type="text" name="StartingBiblionumber" size="5" />
</li>
<li>
<label for="end">To biblio number: </label>
<input id="end" type="text" name="EndingBiblionumber" size="5" />
</li>
<li>
<label for="itemtype">Item type: </label>
<select name="itemtype" id="itemtype">
<option value="">-- All --</option>
[% FOREACH itemtype IN itemtypes %]
<option value="[% itemtype.itemtype | html %]">[% itemtype.translated_description | html %]</option>
[% END %]
</select>
</li>
<li>
<label>With items owned by the following libraries: </label>
[% INCLUDE 'branch-selector.inc' branches = libraries %]
</li>
</ol>
<fieldset class="rows">
<legend>Call number range</legend>
<ol>
<li>
<label for="startcn">From item call number: </label>
<input id="startcn" type="text" name="start_callnumber" size="15" />
</li>
<li>
<label for="endcn">To item call number: </label>
<input id="endcn" type="text" name="end_callnumber" size="15" />
</li>
</ol>
</fieldset>
<fieldset class="rows">
<legend>Accession date (inclusive)</legend>
<ol>
<li>
<label for="from">Start date:</label>
<input type="text" size="10" id="from" name="start_accession" value="[% from | html %]" class="datepickerfrom" />
</li>
<li>
<label for="to">End date:</label>
<input size="10" id="to" name="end_accession" value="[% end_accession | html %]" type="text" class="datepickerto" />
</li>
</ol>
</fieldset>
</fieldset>
<fieldset class="rows">
<legend>
Use a file
</legend>
<ol>
<li>File containing a list of biblio numbers with one biblio number per line. This list works as a filter: it is compatible with other parameters. (File types accepted: .csv and .txt)</li>
<li><label for="id_list_file">File: </label> <input type="file" id="id_list_file" name="id_list_file" /></li>
</ol>
</fieldset>
<fieldset class="rows">
<legend> Options</legend>
<ol> <li>
<label for="dont_export_item">Don't export items:</label>
<input id="dont_export_item" type="checkbox" name="dont_export_item" />
</li>
<li>
<label for="strip_items_not_from_libraries">Remove items not owned by selected libraries:</label>
<input id="strip_items_not_from_libraries" type="checkbox" name="strip_items_not_from_libraries" />
</li>
<li>
<label for="export_remove_fields">Don't export fields:</label>
<input id="export_remove_fields" type="text" name="export_remove_fields" value="[% export_remove_fields | html %]" />
separate by a blank. (e.g., 100a 200 606)
</li></ol>
</fieldset>
<fieldset class="rows">
<legend>
Output format
</legend>
<ol><li>
<label for="output_format">File format: </label>
<select id="output_format" name="output_format">
<option value="iso2709">marc</option>
<option value="xml">xml</option>
[% IF csv_profiles %]
<option value="csv">csv</option>
[% ELSE %]
<option value="csv" disabled data-toggle="tooltip" data-placement="left" title="You must create a CSV profile for MARC exports to use this option.">csv</option>
[% END %]
</select>
</li>
<li class="csv_profiles">
<label for="bibs_csv_profile">CSV profile: </label>
<select id="bibs_csv_profile" name="csv_profile_id">
[% FOR csv_profile IN csv_profiles %]
<option value="[% csv_profile.export_format_id | html %]">[% csv_profile.profile | html %]</option>
[% END %]
</select>
</li>
<li>
<label for="filename">File name:</label><input id="filename" type="text" name="filename" value="koha.mrc" />
</li></ol>
</fieldset>
<input type="hidden" name="op" value="export" />
<input type="hidden" name="record_type" value="bibs" />
<fieldset class="action"><input type="submit" value="Export bibliographic records" class="button" /></fieldset>
</form>
</div>
<div id="auths">
<form method="post" enctype="multipart/form-data" action="/cgi-bin/koha/tools/export.pl">
<fieldset class="rows">
<legend> Select records to export </legend>
<ol><li>
<label for="start">From authid: </label>
<input id="start" type="text" name="starting_authid" size="6" />
</li>
<li>
<label for="end">To authid: </label>
<input id="end" type="text" name="ending_authid" size="6" />
</li>
<li>
<label for="authtype">Authority type: </label>
<select name="authtype" id="authtype">
<option value="">-- All --</option>
[% FOREACH authority_type IN authority_types %]
<option value="[% authority_type.authtypecode | html %]">[% authority_type.authtypetext | html %]</option>
[% END %]
</select>
</li>
</ol>
</fieldset>
<fieldset class="rows">
<legend>
Use a file
</legend>
<ol>
<li>File containing a list of authids with one authid per line. This list works as a filter: it is compatible with other parameters. (File types accepted: .csv and .txt)</li>
<li><label for="id_list_file">File:</label> <input type="file" id="id_list_file" name="id_list_file" /></li>
</ol>
</fieldset>
<fieldset class="rows">
<legend>Options</legend>
<ol>
<li>
<label for="export_remove_fields">Don't export fields:</label>
<input id="export_remove_fields" type="text" name="export_remove_fields" />
separate by a blank. (e.g., 100a 200 606)
</li></ol>
</fieldset>
<fieldset class="rows">
<legend>Output format</legend>
<ol><li>
<label for="output_format">File format: </label>
<select id="output_format" name="output_format">
<option value="marc">marc</option>
<option value="xml">xml</option>
</select>
</li>
<li>
<label for="filename">File name:</label><input id="filename" type="text" name="filename" value="koha.mrc" />
</li></ol>
</fieldset>
<input type="hidden" name="op" value="export" />
<input type="hidden" name="record_type" value="auths" />
<fieldset class="action"><input type="submit" value="Export authority records" class="button" /></fieldset>
</form>
</div>
[% IF ( allow_db_export ) %]
<div id="db">
<form method="post" action="/cgi-bin/koha/tools/export.pl">
<p><b>Note : This export file will be very large, and is generated nightly.</b></p>
<fieldset class="rows">
<legend> Choose a file </legend>
[% IF ( dbfiles && (dbfiles.size > 0) ) %]
<ul>
[% FOREACH dbfile IN dbfiles %]
<li><input type="radio" name="filename" value="[% dbfile | html %]">[% dbfile | html %]</input></li>
[% END %]
</ul>
[% ELSE %]
<p>Unfortunately, no backups are available.</p>
[% END %]
</fieldset>
[% IF ( dbfiles && (dbfiles.size > 0) ) %]
<input type="hidden" name="op" value="export" />
<input type="hidden" name="record_type" value="db" />
<fieldset class="action"><input type="submit" value="Download database" class="button" /></fieldset>
[% END %]
</form>
</div>
[% END %]
[% IF ( allow_conf_export ) %]
<div id="conf">
<form method="post" action="/cgi-bin/koha/tools/export.pl">
<p><b>Note : This export file will be very large, and is generated nightly.</b></p>
<fieldset class="rows">
<legend> Choose a file </legend>
[% IF ( conffiles && (conffiles.size > 0) ) %]
<ul>
[% FOREACH conffile IN conffiles %]
<li><input type="radio" name="filename" value="[% conffile | html %]">[% conffile | html %]</input></li>
[% END %]
</ul>
[% ELSE %]
<p>Unfortunately, no backups are available.</p>
[% END %]
</fieldset>
[% IF ( conffiles && (conffiles.size > 0) ) %]
<input type="hidden" name="op" value="export" />
<input type="hidden" name="record_type" value="conf" />
<fieldset class="action"><input type="submit" value="Download configuration" class="button" /></fieldset>
[% END %]
</form>
</div>
[% END %]
</div>
</div>
</div>
<div class="yui-b noprint">
[% INCLUDE 'tools-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% Asset.js("js/tools-menu.js") | $raw %]
[% INCLUDE 'calendar.inc' %]
<script type="text/javascript">
$(document).ready(function() {
$('#exporttype').tabs();
$("li.csv_profiles").hide();
$("#bibs select[name='output_format']").on('change', function(){
var format = $(this).val();
if ( format == 'csv' ) {
$("#bibs li.csv_profiles").show();
} else {
$("#bibs li.csv_profiles").hide();
}
});
$("#checkall").on("click",function(e){
e.preventDefault();
$(".branch_select").prop("checked",1);
});
$("#checknone").on("click",function(e){
e.preventDefault();
$(".branch_select").prop("checked",0);
});
});
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink