Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/ill/ill-requests.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

637 lines
30 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[% USE raw %]
[% USE Asset %]
[% USE Branches %]
[% USE Koha %]
[% USE KohaDates %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; ILL requests &rsaquo;</title>
[% INCLUDE 'doc-head-close.inc' %]
[% Asset.js("lib/jquery/plugins/jquery.checkboxes.min.js") | $raw %]
[% Asset.css("css/datatables.css") | $raw %]
[% INCLUDE 'datatables.inc' %]
<script type="text/javascript">
//<![CDATA[
$(document).ready(function() {
// Illview Datatable setup
// Fields we don't want to display
var ignore = [
'accessurl',
'backend',
'branchcode',
'completed',
'capabilities',
'cost',
'medium',
'notesopac',
'notesstaff',
'placed',
'replied'
];
// Fields we need to expand (flatten)
var expand = [
'metadata',
'patron'
];
// Expanded fields
// This is auto populated
var expanded = {};
// The core fields that should be displayed first
var core = [
'metadata_Author',
'metadata_Title',
'borrowername',
'biblio_id',
'library',
'status',
'updated',
'illrequest_id',
'action'
];
// Remove any fields we're ignoring
var removeIgnore = function(dataObj) {
dataObj.forEach(function(thisRow) {
ignore.forEach(function(thisIgnore) {
if (thisRow.hasOwnProperty(thisIgnore)) {
delete thisRow[thisIgnore];
}
});
});
};
// Expand any fields we're expanding
var expandExpand = function(row) {
expand.forEach(function(thisExpand) {
if (row.hasOwnProperty(thisExpand)) {
if (!expanded.hasOwnProperty(thisExpand)) {
expanded[thisExpand] = [];
}
var expandObj = row[thisExpand];
Object.keys(expandObj).forEach(
function(thisExpandCol) {
var expColName = thisExpand + '_' + thisExpandCol;
// Keep a list of fields that have been expanded
// so we can create toggle links for them
if (expanded[thisExpand].indexOf(expColName) == -1) {
expanded[thisExpand].push(expColName);
}
expandObj[expColName] =
expandObj[thisExpandCol];
delete expandObj[thisExpandCol];
}
);
$.extend(true, row, expandObj);
delete row[thisExpand];
}
});
};
// Build a de-duped list of all column names
var allCols = {};
core.map(function(thisCore) {
allCols[thisCore] = 1;
});
// Strip the expand prefix if it exists, we do this for display
var stripPrefix = function(value) {
expand.forEach(function(thisExpand) {
var regex = new RegExp(thisExpand + '_', 'g');
value = value.replace(regex, '');
});
return value;
};
// Our 'render' function for borrowerlink
var createPatronLink = function(data, type, row) {
return '<a title="' + _("View borrower details") + '" ' +
'href="/cgi-bin/koha/members/moremember.pl?' +
'borrowernumber='+row.borrowernumber+'">' +
row.patron_firstname + ' ' + row.patron_surname +
'</a>';
};
// Our 'render' function for the library name
var createLibrary = function(data, type, row) {
return row.library.branchname;
};
// Render function for request ID
var createRequestId = function(data, type, row) {
return row.id_prefix + row.illrequest_id;
};
// Render function for request status
var createStatus = function(data, type, row, meta) {
var origData = meta.settings.oInit.originalData;
if (origData.length > 0) {
var status_name = meta.settings.oInit.originalData[0].capabilities[
row.status
].name;
switch( status_name ) {
case "New request":
return _("New request");
case "Requested":
return _("Requested");
case "Requested from partners":
return _("Requested from partners");
case "Request reverted":
return _("Request reverted");
case "Queued request":
return _("Queued request");
case "Cancellation requested":
return _("Cancellation requested");
case "Completed":
return _("Completed");
case "Delete request":
return _("Delete request");
default:
return status_name;
}
} else {
return '';
}
};
// Render function for creating a row's action link
var createActionLink = function(data, type, row) {
return '<a class="btn btn-default btn-sm" ' +
'href="/cgi-bin/koha/ill/ill-requests.pl?' +
'method=illview&amp;illrequest_id=' +
row.illrequest_id +
'">' + _("Manage request") + '</a>';
};
// Columns that require special treatment
var specialCols = {
action: {
name: '',
func: createActionLink
},
borrowername: {
name: _("Patron"),
func: createPatronLink
},
illrequest_id: {
name: _("Request number"),
func: createRequestId
},
status: {
name: _("Status"),
func: createStatus
},
biblio_id: {
name: _("Biblio ID")
},
library: {
name: _("Library"),
func: createLibrary
}
};
// Filter partner list
$('#partner_filter').keyup(function() {
var needle = $('#partner_filter').val();
$('#partners > option').each(function() {
var regex = new RegExp(needle, 'i');
if (
needle.length == 0 ||
$(this).is(':selected') ||
$(this).text().match(regex)
) {
$(this).show();
} else {
$(this).hide();
}
});
});
// Display the modal containing request supplier metadata
$('#ill-request-display-metadata').on('click', function(e) {
e.preventDefault();
$('#dataPreview').modal({show:true});
});
// Get our data from the API and process it prior to passing
// it to datatables
var ajax = $.ajax(
'/api/v1/illrequests?embed=metadata,patron,capabilities,library'
).done(function() {
var data = JSON.parse(ajax.responseText);
// Make a copy, we'll be removing columns next and need
// to be able to refer to data that has been removed
var dataCopy = $.extend(true, [], data);
// Remove all columns we're not interested in
removeIgnore(dataCopy);
// Expand columns that need it and create an array
// of all column names
$.each(dataCopy, function(k, row) {
expandExpand(row);
});
// Assemble an array of column definitions for passing
// to datatables
var colData = [];
Object.keys(allCols).forEach(function(thisCol) {
// Create the base column object
var colObj = {
name: thisCol,
className: thisCol
};
// We may need to process the data going in this
// column, so do it if necessary
if (
specialCols.hasOwnProperty(thisCol) &&
specialCols[thisCol].hasOwnProperty('func')
) {
colObj.render = specialCols[thisCol].func;
} else {
colObj.data = thisCol;
}
colData.push(colObj);
});
// Initialise the datatable
$('#ill-requests').DataTable($.extend(true, {}, dataTablesDefaults, {
'aoColumnDefs': [ // Last column shouldn't be sortable or searchable
{
'aTargets': [ 'actions' ],
'bSortable': false,
'bSearchable': false
},
],
'aaSorting': [[ 6, 'desc' ]], // Default sort, updated descending
'processing': true, // Display a message when manipulating
'iDisplayLength': 10, // 10 results per page
'sPaginationType': "full_numbers", // Pagination display
'deferRender': true, // Improve performance on big datasets
'data': dataCopy,
'columns': colData,
'originalData': data // Enable render functions to access
// our original data
}));
}
);
});
//]]>
</script>
</head>
<body id="illrequests" class="ill">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'cat-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo;
<a href="/cgi-bin/koha/ill/ill-requests.pl">ILL requests</a>
[% IF query_type == 'create' %]
&rsaquo; New request
[% ELSIF query_type == 'status' %]
&rsaquo; Status
[% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div id="interlibraryloans" class="yui-b">
[% IF !backends_available %]
<div class="dialog message">ILL module configuration problem. Take a look at the <a href="/cgi-bin/koha/about.pl#sysinfo">about page</a></div>
[% ELSE %]
[% INCLUDE 'ill-toolbar.inc' %]
[% IF whole.error %]
<h1>Error performing operation</h1>
<!-- Dispatch on Status -->
<p>We encountered an error:</p>
<p>
<pre>[% whole.message | html %] ([% whole.status | html %])</pre>
</p>
[% END %]
[% IF query_type == 'create' %]
<h1>New ILL request</h1>
[% IF whole.stage == 'copyrightclearance' %]
<div>
<p>
[% Koha.Preference('ILLModuleCopyrightClearance') | $raw %]
</p>
<a href="?method=create&stage=copyrightclearance&backend=[% whole.value.backend | html %]"
class="btn btn-sm btn-default btn-group"><i class="fa fa-check">Yes</i></a>
<a href="/cgi-bin/koha/ill/ill-requests.pl"
class="btn btn-sm btn-default btn-group"><i class="fa fa-times">No</i></a>
</div>
[% ELSE %]
[% PROCESS $whole.template %]
[% END %]
[% ELSIF query_type == 'confirm' %]
<h1>Confirm ILL request</h1>
[% PROCESS $whole.template %]
[% ELSIF query_type == 'cancel' and !whole.error %]
<h1>Cancel a confirmed request</h1>
[% PROCESS $whole.template %]
[% ELSIF query_type == 'generic_confirm' %]
<h1>Place request with partner libraries</h1>
[% IF error %]
[% IF error == 'no_target_email' %]
<div class="alert">
No target email addresses found. Either select at least
one partner or check your ILL partner library records.
</div>
[% ELSIF error == 'no_library_email' %]
<div class="alert">
Your library has no usable email address. Please set it.
</div>
[% ELSIF error == 'unkown_error' %]
<div class="alert">
Unknown error processing your request. Contact your administrator.
</div>
[% END %]
[% END %]
<!-- Start of GENERIC_EMAIL case -->
[% IF whole.value.partners %]
[% ill_url = "/cgi-bin/koha/ill/ill-requests.pl?method=illview&illrequest_id=" _ request.illrequest_id %]
<form method="POST" action="/cgi-bin/koha/ill/ill-requests.pl">
<fieldset class="rows">
<legend>Interlibrary loan request details</legend>
<ol>
<li>
<label for="partner_filter">Filter partner libraries:</label>
<input type="text" id="partner_filter">
</li>
<li>
<label for="partners" class="required">Select partner libraries:</label>
<select size="5" multiple="true" id="partners" name="partners" required="required">
[% FOREACH partner IN whole.value.partners %]
<option value=[% partner.email | html %]>
[% partner.branchcode _ " - " _ partner.surname %]
</option>
[% END %]
</select>
</li>
<li>
<label for="subject" class="required">Subject Line</label>
<input type="text" name="subject" id="subject" type="text" value="[% whole.value.draft.subject | html %]" required="required" />
</li>
<li>
<label for="body" class="required">Email text:</label>
<textarea name="body" id="body" rows="20" cols="80" required="required">[% whole.value.draft.body | html %]</textarea>
</li>
</ol>
<input type="hidden" value="generic_confirm" name="method">
<input type="hidden" value="draft" name="stage">
<input type="hidden" value="[% request.illrequest_id | html %]" name="illrequest_id">
</fieldset>
<fieldset class="action">
<input type="submit" class="btn btn-default" value="Send email"/>
<span><a href="[% ill_url | html %]" title="Return to request details">Cancel</a></span>
</fieldset>
</form>
[% ELSE %]
<fieldset class="rows">
<legend>Interlibrary loan request details</legend>
<p>No partners have been defined yet. Please create appropriate patron records (by default ILLLIBS category).</p>
<p>Be sure to provide email addresses for these patrons.</p>
<p><span><a href="[% ill_url | html %]" title="Return to request details">Cancel</a></span></p>
</fieldset>
[% END %]
<!-- generic_confirm ends here -->
[% ELSIF query_type == 'edit_action' %]
<form method="POST" action="/cgi-bin/koha/ill/ill-requests.pl">
<fieldset class="rows">
<legend>Request details</legend>
<ol>
<li class="borrowernumber">
<label for="borrowernumber">Patron ID:</label>
<input name="borrowernumber" id="borrowernumber" type="text" value="[% request.borrowernumber | html %]">
</li>
<li class="biblio_id">
<label for="biblio_id" class="biblio_id">Biblio ID:</label>
<input name="biblio_id" id="biblio_id" type="text" value="[% request.biblio_id | html %]">
</li>
<li class="branchcode">
<label for="library" class="branchcode">Library:</label>
<select name="branchcode" id="library">
[% PROCESS options_for_libraries libraries => Branches.all( selected => request.branchcode ) %]
</select>
</li>
<li class="status">
<label class="status">Status:</label>
[% stat = request.status | html %]
[% request.capabilities.$stat.name | html %]
</li>
<li class="updated">
<label class="updated">Last updated:</label>
[% request.updated | $KohaDates with_hours => 1 | html %]
</li>
<li class="medium">
<label class="medium">Request type:</label>
[% request.medium | html %]
</li>
<li class="cost">
<label class="cost">Cost:</label>
[% request.cost || 'N/A' | html %]
</li>
<li class="req_id">
<label class="req_id">Request number:</label>
[% request.id_prefix _ request.illrequest_id | html %]
</li>
<li class="notesstaff">
<label for="notesstaff" class="notesstaff">Staff notes:</label>
<textarea name="notesstaff" id="notesstaff" rows="5">[% request.notesstaff | html %]</textarea>
</li>
<li class="notesopac">
<label for="notesopac" class="notesopac">Opac notes:</label>
<textarea name="notesopac" id="notesopac" rows="5">[% request.notesopac | html %]</textarea>
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="hidden" value="edit_action" name="method">
<input type="hidden" value="form" name="stage">
<input type="hidden" value="[% request.illrequest_id | html %]" name="illrequest_id">
<input type="submit" value="Submit">
<a class="cancel" href="/cgi-bin/koha/ill/ill-requests.pl?method=illview&amp;illrequest_id=[% request.id | html %]">Cancel</a>
</fieldset>
</form>
[% ELSIF query_type == 'delete_confirm' %]
<div class="dialog alert">
<h3>Are you sure you wish to delete this request?</h3>
<form action="/cgi-bin/koha/ill/ill-requests.pl" method="post">
<input type="hidden" name="method" value="delete" />
<input type="hidden" name="confirmed" value="1" />
<input type="hidden" name="illrequest_id" value="[% request.id | html %]" />
<button type="submit" class="btn btn-default btn-sm approve"><i class="fa fa-fw fa-check"></i> Yes, delete</button>
</form>
<a class="btn btn-default btn-sm deny" href="/cgi-bin/koha/ill/ill-requests.pl?method=illview&amp;illrequest_id=[% request.id | html %]"><i class="fa fa-fw fa-remove"></i>No, do not delete</a>
</div>
[% ELSIF query_type == 'illview' %]
[% actions = request.available_actions | html %]
[% capabilities = request.capabilities | html %]
[% req_status = request.status | html %]
<h1>Manage ILL request</h1>
<div id="toolbar" class="btn-toolbar">
<a title="Edit request" id="ill-toolbar-btn-edit-action" class="btn btn-sm btn-default" href="/cgi-bin/koha/ill/ill-requests.pl?method=edit_action&amp;illrequest_id=[% request.illrequest_id | html %]">
<span class="fa fa-pencil"></span>
Edit request
</a>
[% FOREACH action IN actions %]
[% IF action.method != 0 %]
<a title="[% action.ui_method_name | html %]" id="ill-toolbar-btn-[% action.id | lower | html %]" class="btn btn-sm btn-default" href="/cgi-bin/koha/ill/ill-requests.pl?method=[% action.method | html %]&amp;illrequest_id=[% request.illrequest_id | html %]">
<span class="fa [% action.ui_method_icon | html %]"></span>
[% action.ui_method_name | html %]
</a>
[% END %]
[% END %]
<a title="Display supplier metadata" id="ill-request-display-metadata" class="btn btn-sm btn-default pull-right" href="#">
<span class="fa fa-eye"></span>
Display supplier metadata
</a>
</div>
<div id="ill-view-panel" class="panel panel-default">
<div class="panel-heading">
<h3>Request details</h3>
</div>
<div class="panel-body">
<h4>Details from library</h4>
<div class="rows">
<div class="orderid">
<span class="label orderid">Order ID:</span>
[% request.orderid || "N/A" | html %]
</div>
<div class="borrowernumber">
<span class="label borrowernumber">Patron:</span>
[% borrowerlink = "/cgi-bin/koha/members/moremember.pl" _ "?borrowernumber=" _ request.patron.borrowernumber %]
<a href="[% borrowerlink | html %]" title="View borrower details">
[% request.patron.firstname _ " " _ request.patron.surname _ " [" _ request.patron.cardnumber _ "]" | html %]
</a>
</div>
<div class="biblio_id">
<span class="label biblio_id">Biblio ID:</span>
[% request.biblio_id || "N/A" | html %]
</div>
<div class="branchcode">
<span class="label branchcode">Library:</span>
[% Branches.GetName(request.branchcode) | html %]
</div>
<div class="status">
<span class="label status">Status:</span>
[% capabilities.$req_status.name | html %]
</div>
<div class="updated">
<span class="label updated">Last updated:</span>
[% request.updated | $KohaDates with_hours => 1 | html %]
</div>
<div class="medium">
<span class="label medium">Request type:</span>
[% request.medium | html %]
</div>
<div class="cost">
<span class="label cost">Cost:</span>
[% request.cost || "N/A" | html %]
</div>
<div class="req_id">
<span class="label req_id">Request number:</span>
[% request.id_prefix _ request.illrequest_id | html %]
</div>
<div class="notesstaff">
<span class="label notes_staff">Staff notes:</span>
<pre>[% request.notesstaff | html %]</pre>
</div>
<div class="notesopac">
<span class="label notes_opac">Notes:</span>
<pre>[% request.notesopac | html %]</pre>
</div>
</div>
<div class="rows">
<h4>Details from supplier ([% request.backend | html %])</h4>
[% FOREACH meta IN request.metadata %]
<div class="requestmeta-[% meta.key | html %]">
<span class="label">[% meta.key | html %]:</span>
[% meta.value | html %]
</div>
[% END %]
</div>
</div>
</div>
<div id="dataPreview" class="modal fade" tabindex="-1" role="dialog" aria-labelledby="dataPreviewLabel" aria-hidden="true">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="closebtn" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="dataPreviewLabel"> Supplier metadata</h3>
</div>
<div class="modal-body">
<div id="requestattributes">
[% FOREACH attr IN request.illrequestattributes %]
<div class="requestattr-[% attr.type | html %]">
<span class="label">[% attr.type | html %]:</span>
[% attr.value | html %]
</div>
[% END %]
</div>
</div>
<div class="modal-footer">
<button class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button>
</div>
</div>
</div>
</div>
[% ELSIF query_type == 'illlist' %]
<!-- illlist -->
<h1>View ILL requests</h1>
<div id="results">
<h3>Details for all requests</h3>
<table id="ill-requests">
<thead>
<tr id="illview-header">
<th>Author</th>
<th>Title</th>
<th>Patron</th>
<th>Biblio ID</th>
<th>Library</th>
<th>Status</th>
<th>Updated on</th>
<th>Request number</th>
<th class="actions"></th>
</tr>
</thead>
<tbody id="illview-body">
</tbody>
</table>
</div>
[% ELSE %]
<!-- Custom Backend Action -->
[% INCLUDE $whole.template %]
[% END %]
[% END %]
</div>
</div>
</div>
</div>
[% TRY %]
[% PROCESS backend_jsinclude %]
[% CATCH %]
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink