Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/supplier.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

431 lines
24 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE KohaDates %]
[% BLOCK edit_contact %]
<ol id="contact-form">
<input type="hidden" name="contact_id" value="[% contact.id | html %]" />
<li><label for="contact_name[% contact.id | html %]">Contact name: </label>
<input type="text" size="40" id="contact_name[% contact.id | html %]" name="contact_name" value="[% contact.name | html %]" /></li>
<li><label for="contact_position[% contact.id | html %]">Position: </label>
<input type="text" size="40" id="contact_position[% contact.id | html %]" name="contact_position" value="[% contact.position | html %]" /></li>
<li><label for="contact_phone[% contact.id | html %]">Phone: </label>
<input type="text" size="20" id="contact_phone[% contact.id | html %]" name="contact_phone" value="[% contact.phone | html %]" /> </li>
<li><label for="contact_altphone[% contact.id | html %]">Alternative phone: </label>
<input type="text" size="20" id="contact_altphone[% contact.id | html %]" name="contact_altphone" value="[% contact.altphone | html %]" /></li>
<li><label for="contact_fax[% contact.id | html %]">Fax: </label>
<input type="text" size="20" id="contact_fax[% contact.id | html %]" name="contact_fax" value="[% contact.fax | html %]" /></li>
<li><label for="contact_email[% contact.id | html %]">Email: </label>
<input type="text" size="40" id="contact_email[% contact.id | html %]" name="contact_email" value="[% contact.email | html %]" class="email" /></li>
<li><label for="contact_notes[% contact.id | html %]">Notes: </label>
<textarea id="contact_notes[% contact.id | html %]" name="contact_notes" cols="40" rows="4">[% contact.notes | html %]</textarea></li>
<li><label for="contact_acqprimary[% contact.id | html %]">Primary acquisitions contact:</label>
[% IF contact.acqprimary %]
<input type="checkbox" id="contact_acqprimary[% contact.id | html %]" class="contact_acqprimary" checked="checked"></input>
[% ELSE %]
<input type="checkbox" id="contact_acqprimary[% contact.id | html %]" class="contact_acqprimary"></input>
[% END %]
<input type="hidden" class="contact_acqprimary_hidden" name="contact_acqprimary" value="[% contact.acqprimary | html %]"></input>
<li><label for="contact_serialsprimary[% contact.id | html %]">Primary serials contact:</label>
[% IF contact.serialsprimary %]
<input type="checkbox" id="contact_serialsprimary[% contact.id | html %]" class="contact_serialsprimary" checked="checked"></input>
[% ELSE %]
<input type="checkbox" id="contact_serialsprimary[% contact.id | html %]" class="contact_serialsprimary"></input>
[% END %]
<input type="hidden" class="contact_serialsprimary_hidden" name="contact_serialsprimary" value="[% contact.serialsprimary | html %]"></input>
<li><label for="contact_orderacquisition[% contact.id | html %]">Contact when ordering?</label>
[% IF contact.orderacquisition %]
<input type="checkbox" id="contact_orderacquisition[% contact.id | html %]" class="contact_orderacquisition" checked="checked"></input>
[% ELSE %]
<input type="checkbox" id="contact_orderacquisition[% contact.id | html %]" class="contact_orderacquisition"></input>
[% END %]
<input type="hidden" class="contact_orderacquisition_hidden" name="contact_orderacquisition" value="[% contact.orderacquisition | html %]"></input>
<li><label for="contact_claimacquisition[% contact.id | html %]">Contact about late orders?</label>
[% IF contact.claimacquisition %]
<input type="checkbox" id="contact_claimacquisition[% contact.id | html %]" class="contact_claimacquisition" checked="checked"></input>
[% ELSE %]
<input type="checkbox" id="contact_claimacquisition[% contact.id | html %]" class="contact_claimacquisition"></input>
[% END %]
<input type="hidden" class="contact_claimacquisition_hidden" name="contact_claimacquisition" value="[% contact.claimacquisition | html %]"></input>
<li><label for="contact_claimissues[% contact.id | html %]">Contact about late issues?</label>
[% IF contact.claimissues %]
<input type="checkbox" id="contact_claimissues[% contact.id | html %]" class="contact_claimissues" checked="checked"></input>
[% ELSE %]
<input type="checkbox" id="contact_claimissues[% contact.id | html %]" class="contact_claimissues"></input>
[% END %]
<input type="hidden" class="contact_claimissues_hidden" name="contact_claimissues" value="[% contact.claimissues | html %]"></input>
</li>
[% IF contact.id %]<li><button class="btn btn-default delete-contact"><i class="fa fa-trash"></i> Delete contact</li>[% END %]
</ol>
[% END %]
[% BLOCK show_contact %]
<h3>[% contact.name | html %]</h3>
<p><span class="label">Position: </span>[% contact.position | html %]</p>
<p><span class="label">Phone: </span>[% contact.phone | html %]</p>
<p><span class="label">Alternative phone: </span>[% contact.altphone | html %]</p>
<p><span class="label">Fax: </span>[% contact.fax | html %]</p>
[% IF ( contact.email ) %]
<p><span class="label">Email: </span><a href="mailto:[% contact.email | html %]">[% contact.email | html %]</a></p>
[% END %]
[% IF ( contact.notes ) %]
<p><span class="label">Notes: </span>[% contact.notes | html %]</p>
[% END %]
[% IF ( contact.acqprimary ) %]
<p><span class="label">Primary acquisitions contact</span></p>
[% END %]
[% IF ( contact.serialsprimary ) %]
<p><span class="label">Primary serials contact</span></p>
[% END %]
[% IF ( contact.orderacquisition ) %]
<p><span class="label">Receives orders</span></p>
[% END %]
[% IF ( contact.claimacquisition ) %]
<p><span class="label">Receives claims for late orders</span></p>
[% END %]
[% IF ( contact.claimissues ) %]
<p><span class="label">Receives claims for late issues</span></p>
[% END %]
[% END %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Vendor [% name | html %]</title>
[% Asset.css("css/datatables.css") | $raw %]
[% INCLUDE 'doc-head-close.inc' %]
</head>
<body id="acq_supplier" class="acq">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'acquisitions-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; [% IF ( enter ) %][% IF ( booksellerid ) %] <a href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid | html %]">[% name | html %]</a> &rsaquo; Update: [% name | html %][% ELSE %]Add vendor[% END %] [% ELSE %][% name | html %][% END %]</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF ( enter ) %]
[% IF ( booksellerid ) %]
<h1>Update: [% name | html %]</h1>
[% ELSE %]
<h1>Add vendor</h1>
[% END %]
[% END %]
[% UNLESS ( enter ) %][% INCLUDE 'acquisitions-toolbar.inc' %][% END %]
[% IF ( enter ) %]
<form action="updatesupplier.pl" name="updatesupplier" class="validated" method="post">
<div class="yui-g">
<input type="hidden" name="booksellerid" value="[% booksellerid | html %]" />
<fieldset class="rows">
<legend>Company details</legend>
<ol><li><label for="company" class="required">Name:</label>
<input type="text" size="40" id="company" name="company" value="[% name | html %]" required="required" class="required" /><span class="required">Required</span></li>
<li><label for="company_postal">Postal address: </label>
<textarea id="company_postal" name="company_postal" cols="40" rows="3">[% postal | html %]</textarea></li>
<li><label for="physical">Physical address: </label>
<textarea id="physical" name="physical" cols="40" rows="3">[% address1 | html %][% address2 | html %][% address3 | html %][% address4 | html %]</textarea></li>
<li><label for="company_phone">Phone: </label>
<input type="text" size="20" id="company_phone" name="company_phone" value="[% phone | html %]" /></li>
<li><label for="company_fax">Fax: </label>
<input type="text" size="20" id="company_fax" name="company_fax" value="[% fax | html %]" /></li>
<li><label for="website">Website: </label>
<input type="text" size="40" id="website" name="website" value="[% url | html %]" class="url" /></li>
<li><label for="accountnumber">Account number: </label>
<input type="text" size="40" id="accountnumber" name="accountnumber" value="[% accountnumber | html %]" /></li></ol>
</fieldset>
<fieldset class="rows">
<legend>Contacts</legend>
<fieldset id="contact-template" class="supplier-contact">
<legend>Contact details</legend>
[% INCLUDE edit_contact %]
</fieldset>
[% FOREACH contact IN contacts %]
<fieldset class="supplier-contact">
<legend>Contact details</legend>
[% INCLUDE edit_contact %]
</fieldset>
[% END %]
<button id="add-contact" class="btn btn-default"><i class="fa fa-plus"></i> Add another contact</button>
</fieldset>
</div>
<div class="yui-g">
<fieldset class="rows">
<legend>Ordering information</legend>
<ol class="radio"><li><label for="activestatus" class="radio">Vendor is:</label>
[% IF ( active ) %]
<label for="activestatus">Active</label> <input type="radio" id="activestatus" name="status" value="1" checked="checked" />
<label for="inactivestatus">Inactive</label> <input type="radio" id="inactivestatus" name="status" value="0" />
[% ELSE %]
<label for="activestatus">Active</label> <input type="radio" id="activestatus" name="status" value="1" />
<label for="inactivestatus">Inactive</label> <input type="radio" id="inactivestatus" name="status" value="0" checked="checked" />
[% END %]</li>
</ol>
<ol>
<li><label for="list_currency">List prices are: </label>
<select name="list_currency" id="list_currency">
[% FOREACH c IN currencies %]
[% IF booksellerid and c.currency == listprice or not booksellerid and c.active %]
<option value="[% c.currency | html %]" selected="selected">[% c.currency | html %]</option>
[% ELSIF not c.archived %]
<option value="[% c.currency | html %]">[% c.currency | html %]</option>
[% END %]
[% END %]
</select>
</li>
<li><label for="invoice_currency">Invoice prices are: </label>
<select name="invoice_currency" id="invoice_currency">
[% FOREACH c IN currencies %]
[% IF booksellerid and c.currency == invoiceprice or not booksellerid and c.active %]
<option value="[% c.currency | html %]" selected="selected">[% c.currency | html %]</option>
[% ELSIF not c.archived %]
<option value="[% c.currency | html %]">[% c.currency | html %]</option>
[% END %]
[% END %]
</select>
</li>
</ol>
<ol class="radio">
<li><label for="gstyes" class="radio">Tax number registered:</label>
[% IF ( gstreg ) %]
<label for="gstyes">Yes</label> <input type="radio" name="gst" id="gstyes" value="1" checked="checked" />
<label for="gstno">No</label> <input type="radio" name="gst" id="gstno" value="0" />
[% ELSE %]
<label for="gstyes">Yes</label> <input type="radio" name="gst" id="gstyes" value="1" />
<label for="gstno">No</label> <input type="radio" name="gst" id="gstno" value="0" checked="checked" />
[% END %]</li>
<li><label for="list_gstyes" class="radio">List prices:</label>
[% IF ( listincgst ) %]
<label for="list_gstyes">Include tax</label> <input type="radio" id="list_gstyes" name="list_gst" value="1" checked="checked" />
<label for="list_gstno">Don't include tax</label> <input type="radio" id="list_gstno" name="list_gst" value="0" />
[% ELSE %]
<label for="list_gstyes">Include tax</label> <input type="radio" id="list_gstyes" name="list_gst" value="1" />
<label for="list_gstno">Don't include tax</label> <input type="radio" id="list_gstno" name="list_gst" value="0" checked="checked" />
[% END %]</li>
<li><label for="invoice_gstyes" class="radio">Invoice prices:</label>
[% IF ( invoiceincgst ) %]
<label for="invoice_gstyes">Include tax</label> <input type="radio" id="invoice_gstyes" name="invoice_gst" value="1" checked="checked" />
<label for="invoice_gstno">Don't include tax</label> <input type="radio" id="invoice_gstno" name="invoice_gst" value="0" />
[% ELSE %]
<label for="invoice_gstyes">Include tax</label> <input type="radio" id="invoice_gstyes" name="invoice_gst" value="1" />
<label for="invoice_gstno">Don't include tax</label> <input type="radio" id="invoice_gstno" name="invoice_gst" value="0" checked="checked" />
[% END %]</li>
</ol>
[% IF gst_values %]
<ol>
<li>
<label for="tax_rate">Tax rate: </label>
<select name="tax_rate" id="tax_rate">
[% FOREACH gst IN gst_values %]
[% IF ( tax_rate == gst.option ) %]
<option value="[% gst.option | html %]" selected="selected">[% gst.option * 100 | html %] %</option>
[% ELSE %]
<option value="[% gst.option | html %]">[% gst.option * 100 | html %] %</option>
[% END %]
[% END %]
</select>
</li>
</ol>
[% ELSE %]
<input type="hidden" name="tax_rate" value="0" />
[% END %]
<ol>
<li><label for="discount">Discount: </label>
<input type="text" size="6" id="discount" name="discount" value="[% discount | format ("%.1f") %]" />%</li>
<li>
<label for="deliverytime">Delivery time: </label>
<input type="text" size="2" id="deliverytime" name="deliverytime" value="[% deliverytime | html %]" /> days
</li>
<li><label for="notes">Notes: </label>
<textarea cols="40" rows="4" id="notes" name="notes" >[% notes | html %]</textarea></li></ol>
</fieldset>
<fieldset class="action"><input type="submit" value="Save" /> [% IF ( booksellerid ) %]
<a class="cancel" href="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid | html %]">[% ELSE %]<a class="cancel" href="/cgi-bin/koha/acqui/acqui-home.pl">
[% END %]Cancel</a></fieldset>
</div>
</form>
[% ELSE %]
<h1>[% name | html %]</h1>
<div class="yui-g">
<div id="supplier-company-details" class="yui-u first">
<h2>Vendor details</h2>
<p><span class="label">Company name: </span>[% name | html %]</p>
<p><span class="label">Postal address: </span>[% postal | html %]</p>
<p><span class="label">Physical address: </span>[% address1 | html %][% address2 | html %][% address3 | html %][% address4 | html %]</p>
<p><span class="label">Phone: </span>[% phone | html %]</p>
<p><span class="label">Fax: </span>[% fax | html %]</p>
[% IF ( url ) %]
<p><span class="label">Website: </span><a href="[% url | html %]">[% url | html %]</a></p>
[% END %]
[% IF ( accountnumber ) %]
<p><span class="label">Account number: </span>[% accountnumber | html %]</p>
[% END %]
<div id="supplier-ordering-information">
<h2>Ordering information</h2>
<p><strong>Vendor is: </strong>
[% IF ( active ) %]
Active
[% ELSE %]
Inactive
[% END %]</p>
<p><strong>List prices are: </strong>[% listprice | html %]</p>
<p><strong>Invoice prices are: </strong>[% invoiceprice | html %]</p>
[% IF ( tax_rate ) %]<p><strong>Tax number registered: </strong>
[% IF ( gstreg ) %]Yes[% ELSE %]No[% END %]</p>
<p><strong>List item price includes tax: </strong>
[% IF ( listincgst ) %]Yes[% ELSE %]No[% END %]</p>
<p><strong>Invoice item price includes tax: </strong>
[% IF ( invoiceincgst ) %]Yes[% ELSE %]No[% END %]</p>[% END %]
<p><strong>Discount: </strong>
[% discount | format("%.1f") %] %</p>
<p><strong>Tax rate: </strong>
[% ( tax_rate || 0 ) * 100 | html %] %</p>
[% IF deliverytime.defined %]
<p><strong>Delivery time: </strong>
[% deliverytime | html %] days</p>
[% END %]
[% IF ( notes ) %]<p><strong>Notes: </strong>
[% notes | html %]</p>[% END %]
</div>
</div>
<div class="supplier-contact-details yui-u">
<h2>Contact</h2>
[% FOREACH contact IN contacts %]
[% INCLUDE show_contact %]
[% END %]
</div>
<div>
<div class="subscription-details">
<h2>Subscription details</h2>
<p><strong>Number of subscriptions: </strong>[% subscriptioncount | html %]</p>
</div>
</div>
</div>
[% IF ( contracts ) %]
<div id="supplier-contracts" class="yui-g">
<h2>Contract(s)</h2>
<table id="contractst">
<thead>
<tr>
<th scope="col">Name</th>
<th scope="col">Description</th>
<th scope="col" class="title-string">Start date</th>
<th scope="col" class="title-string">End date</th>
<th scope="col">Actions</th>
</tr>
</thead>
<tbody>
[% FOREACH contract IN contracts %]
<tr>
<td>
<a href="/cgi-bin/koha/admin/aqcontract.pl?op=add_form&amp;contractnumber=[% contract.contractnumber | html %]&amp;booksellerid=[% contract.booksellerid | html %]">[% contract.contractname | html %]</a>
</td>
<td>[% contract.contractdescription | html %]</td>
<td><span title="[% contract.contractstartdate | html %]">[% contract.contractstartdate | $KohaDates %]</span></td>
<td><span title="[% contract.contractenddate | html %]">[% contract.contractenddate | $KohaDates %]</span></td>
<td class="actions">
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/aqcontract.pl?op=add_form&amp;contractnumber=[% contract.contractnumber | html %]&amp;booksellerid=[% contract.booksellerid | html %]"><i class="fa fa-pencil"></i> Edit</a>
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/aqcontract.pl?op=delete_confirm&amp;contractnumber=[% contract.contractnumber | html %]&amp;booksellerid=[% contract.booksellerid | html %]"><i class="fa fa-trash"></i> Delete</a>
</td>
</tr>
[% END %]
</tbody>
</table>
</div>
[% END %]
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'vendor-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% Asset.js("js/acquisitions-menu.js") | $raw %]
[% INCLUDE 'datatables.inc' %]
<script type="text/javascript">
function confirm_deletion() {
if (confirm(_("Confirm deletion of this vendor ?"))) {
window.location="/cgi-bin/koha/acqui/supplier.pl?booksellerid=[% booksellerid | html %]&op=delete";
}
}
function add_contact() {
var new_contact = $('#contact-template').clone();
var timestamp = new Date().getTime();
$(new_contact).removeAttr('id');
$('input, textarea', new_contact).each(function () {
$(this).attr('id', $(this).attr('id') + '_' + timestamp);
});
$('label', new_contact).each(function () {
$(this).attr('for', $(this).attr('for') + '_' + timestamp);
});
$(new_contact).insertBefore(this);
if ($('.supplier-contact').length === 2) { // First contact
$.each(['.contact_acqprimary', '.contact_serialsprimary', '.contact_orderacquisition', '.contact_claimacquisition', '.contact_claimissues'], function (idx, checkbox) {
$(checkbox, new_contact).click();
});
}
$('input[name="contact_name"]', new_contact).focus();
return false;
}
function delete_contact(ev) {
$(this).parents('.supplier-contact').remove();
ev.preventDefault();
}
$(document).ready(function() {
var contractst = $("#contractst").dataTable($.extend(true, {}, dataTablesDefaults, {
"aoColumnDefs": [
{ "aTargets": [ -1 ], "bSortable": false, "bSearchable": false },
{ "sType": "title-string", "aTargets" : [ "title-string" ] }
],
'sDom': 't'
} ) );
$('body').on('click', '.delete-contact', null, delete_contact);
$('#add-contact').click(add_contact);
$('body').on('click', '.contact_acqprimary', null, function () {
if ($(this).is(':checked')) {
$('.contact_acqprimary').filter(':checked').not(this).prop('checked', false);
$('.contact_acqprimary_hidden').each(function () {
$(this).val('0');
});
}
$(this).next('.contact_acqprimary_hidden').val('1');
});
$('body').on('click', '.contact_serialsprimary', null, function () {
if ($(this).is(':checked')) {
$('.contact_serialsprimary').filter(':checked').not(this).prop('checked', false);
$('.contact_serialsprimary_hidden').each(function () {
$(this).val('0');
});
}
$(this).next('.contact_serialsprimary_hidden').val($(this).is(':checked') ? '1' : '0');
});
$('body').on('click', '.contact_orderacquisition', null, function () {
$(this).next('.contact_orderacquisition_hidden').val($(this).is(':checked') ? '1' : '0');
});
$('body').on('click', '.contact_claimacquisition', null, function () {
$(this).next('.contact_claimacquisition_hidden').val($(this).is(':checked') ? '1' : '0');
});
$('body').on('click', '.contact_claimissues', null, function () {
$(this).next('.contact_claimissues_hidden').val($(this).is(':checked') ? '1' : '0');
});
});
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink