Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/serials/serials-search.tt
Chris d87b8a5cf3 Bug 14423: Multiple XSS vulnerabilities in serials-search 
To test

1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
2/ Notice alert boxes
3/ Apply patch
4/ Reload, notice fixed

Repeat for
callnumber_filter
EAN_filter
ISSN_filter
publisher_filter
title_filter

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-06-23 10:12:26 -03:00

408 lines
20 KiB
Text
Raw Blame History

[% USE Branches %]
[% INCLUDE 'doc-head-open.inc' %]
[% USE KohaDates %]
[% USE AuthorisedValues %]
<title>Koha &rsaquo; Serials [% biblionumber %]</title>
[% INCLUDE 'doc-head-close.inc' %]
[% INCLUDE 'calendar.inc' %]
<link rel="stylesheet" type="text/css" href="[% themelang %]/css/datatables.css" />
[% INCLUDE 'datatables.inc' %]
<script type="text/javascript">
//<![CDATA[
$(document).ready(function() {
var osrlt = $("#osrlt").dataTable($.extend(true, {}, dataTablesDefaults, {
"sPaginationType": "four_button",
"aoColumnDefs": [
{ 'bSortable': false, "bSearchable": false, 'aTargets': [ 'NoSort' ] },
{ "sType": "title-string", "aTargets" : [ "title-string" ] },
{ 'sType': "anti-the", 'aTargets' : [ 'anti-the'] }
]
} ) );
var csrlt = $("#csrlt").dataTable($.extend(true, {}, dataTablesDefaults, {
"sPaginationType": "four_button",
"aoColumnDefs": [
{ 'bSortable': false, 'aTargets': [ 'NoSort' ] },
{ 'sType': "anti-the", 'aTargets' : [ 'anti-the'] }
]
} ) );
osrlt.fnAddFilters("dt-filter", 750);
csrlt.fnAddFilters("dt-filter", 750);
$('#serialstabs').tabs();
$("#reopensub").click(function(){
return confirm(_("Are you sure you want to reopen this subscription?"));
});
});
//]]>
</script>
<style type="text/css">input.dt-filter { width : 100%; font-size : 85%; }</style>
</head>
<body id="ser_serials-home" class="ser">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'serials-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; [% IF ( done_searched ) %]<a href="/cgi-bin/koha/serials/serials-home.pl">Serials</a> &rsaquo; Search results[% ELSE %]Serials [% END %] </div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% INCLUDE 'serials-toolbar.inc' %]
<h2>Serials subscriptions ([% total %] found)</h2>
[% UNLESS ( done_searched ) %]
<div id="advsearch" style="padding-bottom:3em;">
<form action="/cgi-bin/koha/serials/serials-search.pl" method="get">
<fieldset class="rows">
<legend>Search subscriptions</legend>
<ol>
<li>
<label for="issn">ISSN:</label>
<input type="text" id="issn" name="ISSN_filter" value="[% ISSN_filter | html %]" />
</li>
<li>
<label for="title">Title:</label>
<input type="text" id="title" name="title_filter" value="[% title_filter | html %]" />
</li>
[% IF ( marcflavour == "UNIMARC" ) %]
<li>
<label for="ean">EAN:</label>
<input type="text" id="ean" name="EAN_filter" value="[% EAN_filter | html %]" />
</li>
[% END %]
<li>
<label for="callnumber">Call number:</label>
<input type="text" id="callnumber" name="callnumber_filter" value="[% callnumber_filter | html %]" />
</li>
<li>
<label for="publisher">Publisher:</label>
<input type="text" id="publisher" name="publisher_filter" value="[% publisher_filter | html %]" />
</li>
<li>
<label for="bookseller">Vendor:</label>
<input type="text" id="bookseller" name="bookseller_filter" value="[% bookseller_filter | html %]" />
</li>
<li>
<label for="branch">Library:</label>
<select id="branch" name="branch_filter">
<option value="">All</option>
[% FOREACH branch IN branches_loop %]
[% IF ( branch.selected ) %]
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
[% ELSE %]
<option value="[% branch.branchcode %]">[% branch.branchname %]</option>
[% END %]
[% END %]
</select>
</li>
[% IF locations %]
<li>
<label for="location">Location:</label>
<select name="location_filter">
<option value="">All</option>
[% FOR loc IN locations %]
[% IF loc.selected %]
<option value="[% loc.authorised_value %]" selected="selected">[% loc.lib %]</option>
[% ELSE %]
<option value="[% loc.authorised_value %]">[% loc.lib %]</option>
[% END %]
[% END %]
</select>
</li>
[% END %]
<li>
<label for="to">Expires before:</label>
<input type="text" id="to" name="expiration_date_filter" value="[% expiration_date_filter | $KohaDates %]" size="10" maxlength="10" class="datepickerto" />
</li>
</ol>
<input type="hidden" name="searched" value="1" />
<fieldset class="action">
<input type="submit" value="Search" />
</fieldset>
</fieldset>
</form>
</div>
[% END %]
[% IF ( done_searched ) %]
[% IF ( total ) %]
<div id="serialstabs" class="toptabs" style="clear:both;">
<ul class="ui-tabs-nav">
<li><a href="#opened">Open ([% openedsubscriptions.size || 0 %])</a></li>
<li><a href="#closed">Closed ([% closedsubscriptions.size || 0 %])</a></li>
</ul>
<div id="opened">
[% IF openedsubscriptions %]
<table id="osrlt">
<thead>
<tr>
<th>ISSN</th>
<th class="anti-the">Title</th>
<th>Notes</th>
<th>Library</th>
<th>Location</th>
<th>Call number</th>
<th class="title-string">Expiration date</th>
<th class="NoSort">Actions</th>
</tr>
</thead>
<tfoot>
<tr>
<td><input type="text" class="dt-filter" data-column_num="0" placeholder="Search ISSN" /></td>
<td><input type="text" class="dt-filter" data-column_num="1" placeholder="Search title" /></td>
<td><input type="text" class="dt-filter" data-column_num="2" placeholder="Search notes" /></td>
<td><input type="text" class="dt-filter" data-column_num="3" placeholder="Search library" /></td>
<td><input type="text" class="dt-filter" data-column_num="4" placeholder="Search location" /></td>
<td><input type="text" class="dt-filter" data-column_num="5" placeholder="Search callnumber" /></td>
<td><input type="text" class="dt-filter" data-column_num="6" placeholder="Search expiration date" /></td>
<td></td>
</tr>
</tfoot>
<tbody>
[% FOREACH subscription IN openedsubscriptions %]
[% UNLESS subscription.cannotdisplay %]
<tr>
<td>
[% IF ( subscription.issn ) %][% subscription.issn %]
[% END %]
</td>
<td><a href="/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=[% subscription.subscriptionid %]" class="button" title="subscription detail">[% subscription.title |html %]</a>
</td>
<td>[% IF ( subscription.publicnotes ) %][% subscription.publicnotes %][% END %]
[% IF ( subscription.internalnotes ) %]([% subscription.internalnotes %])[% END %]
</td>
<td>
[% IF ( subscription.branchcode ) %][% Branches.GetName( subscription.branchcode ) %][% END %]
</td>
<td>
[% IF ( subscription.location ) %][% AuthorisedValues.GetByCode( 'LOC', subscription.location ) %][% END %]
</td>
<td>
[% IF ( subscription.callnumber ) %][% subscription.callnumber %][% END %]
</td>
<td>
[% IF ( subscription.enddate ) %]
<span title="[% subscription.enddate %]">[% subscription.enddate | $KohaDates %]</span>
[% ELSE %]
<span title="0000-00-00"></span>
[% END %]
</td>
<td>
<div class="dropdown">
<a class="btn btn-mini dropdown-toggle" id="subactions[% subscription.subscriptionid %]" role="button" data-toggle="dropdown" href="#">
Actions <b class="caret"></b>
</a>
<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="subactions[% subscription.subscriptionid %]">
[% IF ( routing && CAN_user_serials_routing ) %]
[% IF ( subscription.cannotedit ) %]
[% ELSE %]
[% IF ( subscription.routingedit ) %]
<li>
<a href="/cgi-bin/koha/serials/routing.pl?subscriptionid=[% subscription.subscriptionid %]"><i class="icon-pencil"></i> Edit routing list ([% subscription.routingedit %])</a>
</li>
[% ELSE %]
<li>
<a href="/cgi-bin/koha/serials/routing.pl?subscriptionid=[% subscription.subscriptionid %]&amp;op=new"> <i class="icon-plus"></i> New routing list</a>
</li>
[% END %]
[% END %]
[% END # IF ( routing && CAN_user_serials_routing ) %]
<li>
<a href="/cgi-bin/koha/serials/serials-collection.pl?subscriptionid=[% subscription.subscriptionid %]"><i class="icon-list-alt"></i> Issue history</a>
</li>
[% IF ( CAN_user_serials_receive_serials ) %]
<li>
<a href="/cgi-bin/koha/serials/serials-edit.pl?subscriptionid=[% subscription.subscriptionid %]&amp;serstatus=1,3,7"> <i class="icon-inbox"></i> Serial receive</a>
</li>
[% END %]
</ul>
</div>
</td>
</tr>
[% END %]
[% END %]
</tbody>
</table>
[% ELSE %]
<div class="dialog message">
<p>Your search returned no open subscriptions.</p>
</div>
[% END %]
</div>
<div id="closed">
[% IF closedsubscriptions %]
<table id="csrlt">
<thead>
<tr>
<th>ISSN</th>
<th class="anti-the">Title</th>
<th>Notes</th>
<th>Library</th>
<th>Location</th>
<th>Call number</th>
<th class="NoSort">Actions</th>
</tr>
</thead>
<tfoot>
<tr>
<td><input type="text" class="dt-filter" data-column_num="0" placeholder="Search ISSN" /></td>
<td><input type="text" class="dt-filter" data-column_num="1" placeholder="Search title" /></td>
<td><input type="text" class="dt-filter" data-column_num="2" placeholder="Search notes" /></td>
<td><input type="text" class="dt-filter" data-column_num="3" placeholder="Search library" /></td>
<td><input type="text" class="dt-filter" data-column_num="4" placeholder="Search location" /></td>
<td><input type="text" class="dt-filter" data-column_num="5" placeholder="Search callnumber" /></td>
<td></td>
</tr>
</tfoot>
<tbody>
[% FOREACH subscription IN closedsubscriptions %]
[% UNLESS subscription.cannotdisplay %]
<tr>
<td>
[% IF ( subscription.issn ) %]
[% subscription.issn %]
[% END %]
</td>
<td>
<a href="/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=[% subscription.subscriptionid %]" class="button" title="subscription detail">[% subscription.title |html %]</a>
</td>
<td>
[% IF ( subscription.notes ) %][% subscription.notes %][% END %]
[% IF ( subscription.internalnotes ) %]([% subscription.internalnotes %])[% END %]
</td>
<td>
[% IF ( subscription.branchcode ) %][% Branches.GetName( subscription.branchcode ) %][% END %]
</td>
<td>
[% IF ( subscription.location ) %][% AuthorisedValues.GetByCode( 'LOC', subscription.location ) %][% END %]
</td>
<td>
[% IF ( subscription.callnumber ) %][% subscription.callnumber %][% END %]
</td>
<td>
<div class="dropdown">
<a class="btn btn-mini dropdown-toggle" id="closedsubactions[% subscription.subscriptionid %]" role="button" data-toggle="dropdown" href="#">
Actions <b class="caret"></b>
</a>
<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="closedsubactions[% subscription.subscriptionid %]">
[% IF ( routing && CAN_user_serials_routing ) %]
[% UNLESS ( subscription.cannotedit ) %]
<li>
<a href="/cgi-bin/koha/serials/serials-search.pl?subscriptionid=[% subscription.subscriptionid %]&amp;op=reopen&amp;routing=[% subscription.routing %]&amp;searched=1&amp;title_filter=[% title_filter | uri %]&amp;ISSN_filter=[% ISSN_filter | uri %]&amp;EAN_filter=[% EAN_filter | uri %]&amp;published_filter=[% publisher_filter | uri %]&amp;bookseller_filter=[% bookseller_filter | uri %]&amp;branch_filter=[% branch_filter | uri %]" id="reopensub"> <i class="icon-repeat"></i> Reopen</a>
</li>
[% END %]
[% END # IF ( routing && CAN_user_serials_routing ) %]
<li>
<a href="/cgi-bin/koha/serials/serials-collection.pl?subscriptionid=[% subscription.subscriptionid %]"><i class="icon-list-alt"></i> Issue history</a>
</li>
</ul>
</div>
</td>
</tr>
[% END %]
[% END %]
</tbody>
</table>
[% ELSE %]
<div class="dialog message">
<p>Your search returned no closed subscriptions.</p>
</div>
[% END %]
</div>
</div>
[% ELSE %]
<div class="dialog message">
<p>Your search returned no results.</p>
</div>
[% END %]
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'serials-menu.inc' %]
[% IF ( done_searched ) %]
<div id="advsearch">
<form action="/cgi-bin/koha/serials/serials-search.pl" method="get">
<fieldset class="brief">
<h4>Search subscriptions</h4>
<ol>
<li>
<label for="issn">ISSN:</label>
<input type="text" id="issn" name="ISSN_filter" value="[% ISSN_filter | html %]" />
</li>
<li>
<label for="title">Title:</label>
<input type="text" id="title" name="title_filter" value="[% title_filter | html %]" />
</li>
[% IF ( marcflavour == "UNIMARC" ) %]
<li>
<label for="ean">EAN:</label>
<input type="text" id="ean" name="EAN_filter" value="[% EAN_filter | html %]" />
</li>
[% END %]
<li>
<label for="callnumber">Call number:</label>
<input type="text" id="callnumber" name="callnumber_filter" value="[% callnumber_filter | html %]" />
</li>
<li>
<label for="publisher">Publisher:</label>
<input type="text" id="publisher" name="publisher_filter" value="[% publisher_filter | html %]" />
</li>
<li>
<label for="bookseller">Vendor:</label>
<input type="text" id="bookseller" name="bookseller_filter" value="[% bookseller_filter | html %]" />
</li>
<li>
<label for="branch">Library:</label>
<select id="branch" name="branch_filter">
<option value="">All</option>
[% FOREACH branch IN branches_loop %]
[% IF ( branch.selected ) %]
<option selected="selected" value="[% branch.branchcode %]">[% branch.branchname %]</option>
[% ELSE %]
<option value="[% branch.branchcode %]">[% branch.branchname %]</option>
[% END %]
[% END %]
</select>
</li>
[% IF locations %]
<li>
<label for="location">Location:</label>
<select name="location_filter">
<option value="">All</option>
[% FOR loc IN locations %]
[% IF loc.selected %]
<option value="[% loc.authorised_value %]" selected="selected">[% loc.lib %]</option>
[% ELSE %]
<option value="[% loc.authorised_value %]">[% loc.lib %]</option>
[% END %]
[% END %]
</select>
</li>
[% END %]
<li>
<label for="to">Expires before:</label>
<input type="text" id="to" name="expiration_date_filter" value="[% expiration_date_filter | $KohaDates %]" size="10" maxlength="10" class="datepickerto" />
</li>
</ol>
<input type="hidden" name="searched" value="1" />
<fieldset class="action">
<input type="submit" value="Search" />
</fieldset>
</div>
</fieldset>
</form>
[% END %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink