dcd1f5d48c
Here we go, next step then. As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain <script> tags - Remove them from borrower_debarments.comments (there are allowed here) update borrower_debarments set comment="html tags possible here"; - From the interface hit page and try to catch alert box. If you find one it means you find a possible XSS. To know where it comes from: * note the exact URL where you found it * note the alert box content * Dump your DB and search for the string in the dump to identify its location (for instance table.field) Next: * Ideally we would like to use the raw filter when it is not necessary to HTML escape the variables (in big loop for instance) * Provide a QA script to catch missing filters (we want html, uri, url or raw, certainly others that I am forgetting now) * Replace the html filters with uri when needed (!) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
290 lines
16 KiB
Text
290 lines
16 KiB
Text
[% USE raw %]
|
|
[% USE Asset %]
|
|
[% SET footerjs = 1 %]
|
|
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>Koha › Administration › Libraries
|
|
[% IF op == 'add_form' %]
|
|
›[% IF library %]Modify library[% ELSE %]New library [% library.branchcode | html %][% END %]
|
|
[% ELSIF op == 'delete_confirm' %]
|
|
› Confirm deletion of library '[% library.branchcode | html %]'
|
|
[% END %]
|
|
</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
[% Asset.css("css/datatables.css") | $raw %]
|
|
</head>
|
|
|
|
<body id="admin_branches" class="admin">
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'prefs-admin-search.inc' %]
|
|
|
|
<div id="breadcrumbs">
|
|
<a href="/cgi-bin/koha/mainpage.pl">Home</a>
|
|
› <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a>
|
|
› <a href="/cgi-bin/koha/admin/branches.pl">Libraries</a>
|
|
[% IF op == 'add_form' %]
|
|
› [% IF library %]Modify library[% ELSE %]New library [% library.branchcode | html %][% END %]
|
|
[% ELSIF op == 'delete_confirm' %]
|
|
› Confirm deletion of library '[% library.branchcode | html %]'
|
|
[% END %]
|
|
</div>
|
|
|
|
<div id="doc3" class="yui-t2">
|
|
|
|
<div id="bd">
|
|
<div id="yui-main">
|
|
<div class="yui-b">
|
|
|
|
[% FOREACH m IN messages %]
|
|
<div class="dialog [% m.type | html %]">
|
|
[% SWITCH m.code %]
|
|
[% CASE 'error_on_update' %]
|
|
An error occurred when updating this library. Perhaps it already exists.
|
|
[% CASE 'error_on_insert' %]
|
|
An error occurred when adding this library. The branchcode might already exist.
|
|
[% CASE 'error_on_delete' %]
|
|
An error occurred when deleting this library. Check the logs.
|
|
[% CASE 'success_on_update' %]
|
|
Library updated successfully.
|
|
[% CASE 'success_on_insert' %]
|
|
Library added successfully.
|
|
[% CASE 'success_on_delete' %]
|
|
Library deleted successfully.
|
|
[% CASE 'cannot_delete_library' %]
|
|
This library cannot be deleted. Patrons or items are still using it
|
|
[% IF m.data.patrons_count and m.data.items_count %]
|
|
([% m.data.patrons_count | html %] patrons and [% m.data.items_count | html %] items).
|
|
[% ELSIF m.data.patrons_count %]
|
|
([% m.data.patrons_count | html %] patrons).
|
|
[% ELSIF m.data.items_count %]
|
|
([% m.data.items_count | html %] items).
|
|
[% END %]
|
|
[% CASE 'error_on_update_category' %]
|
|
An error occurred when updating this library category. Perhaps it already exists.
|
|
[% CASE 'error_on_insert_category' %]
|
|
An error occurred when adding this library category. The categorycode might already exist.
|
|
[% CASE 'error_on_delete_category' %]
|
|
An error occurred when deleting this library category. Check the logs.
|
|
[% CASE 'success_on_update_category' %]
|
|
Library category updated successfully.
|
|
[% CASE 'success_on_insert_category' %]
|
|
Library category added successfully.
|
|
[% CASE 'success_on_delete_category' %]
|
|
Library category deleted successfully.
|
|
[% CASE 'cannot_delete_category' %]
|
|
This library category cannot be deleted. [% m.data.libraries_count | html %] libraries are still using it.
|
|
[% CASE %]
|
|
[% m.code | html %]
|
|
[% END %]
|
|
</div>
|
|
[% END %]
|
|
|
|
[% IF op == 'list' %]
|
|
<div id="toolbar" class="btn-toolbar">
|
|
<a class="btn btn-default btn-sm" id="newbranch" href="/cgi-bin/koha/admin/branches.pl?op=add_form"><i class="fa fa-plus"></i> New library</a>
|
|
</div>
|
|
[% END %]
|
|
|
|
[% IF op == 'add_form' %]
|
|
<h3>[% IF library %]Modify library[% ELSE %]New library[% END %]</h3>
|
|
<form action="/cgi-bin/koha/admin/branches.pl" id="Aform" name="Aform" class="validated" method="post">
|
|
<fieldset class="rows">
|
|
<input type="hidden" name="op" value="add_validate" />
|
|
[% IF library %]
|
|
<input type="hidden" name="is_a_modif" value="1" />
|
|
[% END %]
|
|
<ol>
|
|
<li>
|
|
[% IF library %]
|
|
<span class="label">Library code: </span>
|
|
<input type="hidden" name="branchcode" value="[% library.branchcode | html %]" />
|
|
[% library.branchcode | html %]
|
|
[% ELSE %]
|
|
<label for="branchcode" class="required">Library code: </label>
|
|
<input type="text" name="branchcode" id="branchcode" size="10" maxlength="10" value="[% library.branchcode | html %]" class="required" required="required" />
|
|
<span class="required">Required</span>
|
|
[% END %]
|
|
</li>
|
|
<li>
|
|
<label for="branchname" class="required">Name: </label>
|
|
<input type="text" name="branchname" id="branchname" size="80" value="[% library.branchname | html %]" class="required" required="required" />
|
|
<span class="required">Required</span>
|
|
</li>
|
|
</ol>
|
|
</fieldset>
|
|
[% IF categories %]
|
|
<fieldset class="rows"><legend>Group(s):</legend>
|
|
<ol>
|
|
[% FOREACH category IN categories %]
|
|
<li>
|
|
<label for="[% category.categorycode | html %]">[% category.categoryname | html %]: </label>
|
|
[% IF category and selected_categorycodes.grep(category.categorycode).size %]
|
|
<input type="checkbox" id="[% category.categorycode | html %]" name="selected_categorycode_[% category.categorycode | html %]" checked="checked" />
|
|
[% ELSE %]
|
|
<input type="checkbox" id="[% category.categorycode | html %]" name="selected_categorycode_[% category.categorycode | html %]" />
|
|
[% END %]
|
|
<span class="hint">[% category.codedescription | html %]</span>
|
|
</li>
|
|
[% END %]
|
|
</ol>
|
|
</fieldset>
|
|
[% END %]
|
|
<fieldset class="rows">
|
|
<ol>
|
|
<li><label for="branchaddress1">Address line 1: </label><input type="text" name="branchaddress1" id="branchaddress1" size="60" value="[% library.branchaddress1 | html %]" /></li>
|
|
<li><label for="branchaddress2">Address line 2: </label><input type="text" name="branchaddress2" id="branchaddress2" size="60" value="[% library.branchaddress2 | html %]" /></li>
|
|
<li><label for="branchaddress3">Address line 3: </label><input type="text" name="branchaddress3" id="branchaddress3" size="60" value="[% library.branchaddress3 | html %]" /></li>
|
|
<li><label for="branchcity">City: </label><input type="text" name="branchcity" id="branchcity" size="60" value="[% library.branchcity | html %]" /></li>
|
|
<li><label for="branchstate">State: </label><input type="text" name="branchstate" id="branchstate" size="60" value="[% library.branchstate | html %]" /></li>
|
|
<li><label for="branchzip">ZIP/Postal code: </label><input type="text" name="branchzip" id="branchzip" size="25" maxlength="25" value="[% library.branchzip | html %]" /></li>
|
|
<li><label for="branchcountry">Country: </label><input type="text" name="branchcountry" id="branchcountry" size="60" value="[% library.branchcountry | html %]" /></li>
|
|
<li><label for="branchphone">Phone: </label><input type="text" name="branchphone" id="branchphone" size="60" value="[% library.branchphone | html %]" /></li>
|
|
<li><label for="branchfax">Fax: </label><input type="text" name="branchfax" id="branchfax" size="60" value="[% library.branchfax | html %]" /></li>
|
|
<li><label for="branchemail">Email: </label><input type="text" name="branchemail" id="branchemail" class="email" size="80" value="[% library.branchemail | html %]" /></li>
|
|
<li><label for="branchreplyto">Reply-To: </label> <input type="text" name="branchreplyto" id="branchreplyto" class="email" size="80" value="[% library.branchreplyto | html %]" /><br /><span class="hint">Default: ReplyToDefault system preference</span></li>
|
|
<li><label for="branchreturnpath">Return-Path: </label> <input type="text" name="branchreturnpath" id="branchreturnpath" class="email" size="80" value="[% library.branchreturnpath | html %]" /><br /><span class="hint">Default: ReturnpathDefault system preference</span></li>
|
|
<li><label for="branchurl">URL: </label><input type="text" name="branchurl" id="branchurl" size="80" value="[% library.branchurl | html %]" class="url" /></li>
|
|
<li><label for="opac_info">OPAC info: </label><textarea name="opac_info" id="opac_info">[% library.opac_info | $raw %]</textarea></li>
|
|
<li><label for="branchip">IP: </label><input type="text" name="branchip" id="branchip" size="15" maxlength="15" value="[% library.branchip | html %]" /> <span class="hint">Can be entered as a single IP, or a subnet such as 192.168.1.*</span></li>
|
|
<li><label for="marcorgccode">MARC organization code</label> <input type="text" name="marcorgcode" id="marcorgcode" size="16" value="[% library.marcorgcode | html %]" /> <span class="hint">If not filled in defaults to system preference MARCOrgCode. You can obtain your code from <a href="http://www.loc.gov/marc/organizations/orgshome.html" target="_blank">Library of Congress</a>.</span>
|
|
<li><label for="branchnotes">Notes: </label><input type="text" name="branchnotes" id="branchnotes" size="80" value="[% library.branchnotes | html %]" /></li>
|
|
</ol>
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<input type="submit" value="Submit" />
|
|
<a class="cancel" href="/cgi-bin/koha/admin/branches.pl">Cancel</a>
|
|
</fieldset>
|
|
</form>
|
|
[% END %]
|
|
|
|
[% IF op == 'delete_confirm' and not ( items_count or patrons_count )%]
|
|
<div class="dialog alert">
|
|
<form action="/cgi-bin/koha/admin/branches.pl" method="post">
|
|
<h3>Are you sure you want to delete [% library.branchname | html %] ([% library.branchcode | html %])?</h3>
|
|
<input type="hidden" name="op" value="delete_confirmed" />
|
|
<input type="hidden" name="branchcode" value="[% library.branchcode | html %]" />
|
|
<input type="hidden" name="branchname" value="[% library.branchname | html %]">
|
|
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> Yes, delete</button>
|
|
</form>
|
|
<form action="/cgi-bin/koha/admin/branches.pl" method="get">
|
|
<button type="submit" class="deny"><i class="fa fa-fw fa-remove"></i> No, do not delete</button>
|
|
</form>
|
|
</div>
|
|
[% END %]
|
|
|
|
[% IF op == 'list' %]
|
|
<h3>Libraries</h3>
|
|
[% IF libraries.count %]
|
|
<table id="branchest">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Code</th>
|
|
<th>Address</th>
|
|
<th>MARC organization code</th>
|
|
<th>IP</th>
|
|
<th>Actions</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
[% FOREACH library IN libraries %]
|
|
<tr>
|
|
<td>[% library.branchname | html %]</td>
|
|
<td>[% library.branchcode | html %]</td>
|
|
<td>
|
|
[% IF library.branchaddress1 %]
|
|
[% library.branchaddress1 | html %][% END %]
|
|
[% IF library.branchaddress2 %]
|
|
<br />[% library.branchaddress2 | html %][% END %]
|
|
[% IF library.branchaddress3 %]
|
|
<br />[% library.branchaddress3 | html %][% END %]
|
|
[% IF library.branchcity %]
|
|
<br />[% library.branchcity | html %][% END %][% IF ( library.branchstate ) %],
|
|
[% library.branchstate | html %][% END %]
|
|
[% IF library.branchzip %]
|
|
[% library.branchzip | html %][% END %]
|
|
[% IF library.branchcountry %]
|
|
<br />[% library.branchcountry | html %][% END %]
|
|
[% IF library.branchphone %]
|
|
<br />Ph: [% library.branchphone | html %][% END %]
|
|
[% IF library.branchfax %]
|
|
<br />Fax: [% library.branchfax | html %][% END %]
|
|
[% IF library.branchemail %]
|
|
<br /><a href="mailto:[% library.branchemail | html %]">[% library.branchemail | html %]</a>[% END %]
|
|
[% IF library.branchurl %]
|
|
<br /><a href="[% library.branchurl | html %]">[% library.branchurl | html %]</a>[% END %]
|
|
[% IF library.opac_info %]
|
|
<br />OPAC Info: <div>[% library.opac_info | $raw %]</div>[% END %]
|
|
[% IF library.branchnotes %]
|
|
<br />Notes: [% library.branchnotes | html %][% END %]
|
|
</td>
|
|
<td>[% library.marcorgcode | html %]</td>
|
|
<td>[% library.branchip | html %]</td>
|
|
<td class="actions">
|
|
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/branches.pl?op=add_form&branchcode=[% library.branchcode |uri %]"><i class="fa fa-pencil"></i> Edit</a>
|
|
<form action="/cgi-bin/koha/admin/branches.pl" method="post">
|
|
<input type="hidden" name="branchcode" value="[% library.branchcode | html %]" />
|
|
<input type="hidden" name="op" value="delete_confirm" />
|
|
<button type="submit" id="delete_library_[% library.branchcode | html %]" class="btn btn-default btn-xs"><i class="fa fa-trash"></i> Delete</button>
|
|
</form>
|
|
</td>
|
|
</tr>
|
|
[% END %]
|
|
</tbody>
|
|
</table>
|
|
[% ELSE %]
|
|
<div class="dialog message">There are no libraries defined. <a href="/cgi-bin/koha/admin/branches.pl?op=add_form">Start defining libraries</a>.</div>
|
|
[% END %]
|
|
[% END %]
|
|
|
|
</div>
|
|
</div>
|
|
<div class="yui-b">
|
|
[% INCLUDE 'admin-menu.inc' %]
|
|
</div>
|
|
</div>
|
|
|
|
[% MACRO jsinclude BLOCK %]
|
|
[% Asset.js("js/admin-menu.js") | $raw %]
|
|
[% INCLUDE 'datatables.inc' %]
|
|
[% Asset.js("lib/tiny_mce/tiny_mce.js") | $raw %]
|
|
<script type="text/javascript">
|
|
$(document).ready(function() {
|
|
$("#branchest").dataTable($.extend(true, {}, dataTablesDefaults, {
|
|
"aoColumnDefs": [
|
|
{ "aTargets": [ -1 ], "bSortable": false, "bSearchable": false },
|
|
],
|
|
"iDisplayLength": 10,
|
|
"sPaginationType": "four_button"
|
|
}));
|
|
|
|
[% UNLESS library %]
|
|
$("#Aform").on("submit", function( event ) {
|
|
if ( $("#branchcode").val().match(/\s/) ) {
|
|
event.preventDefault();
|
|
alert(_("The library code entered contains whitespace characters. Please remove any whitespace characters from the library code"));
|
|
return false;
|
|
} else {
|
|
return true;
|
|
}
|
|
});
|
|
[% END %]
|
|
});
|
|
tinyMCE.baseURL = "[% interface | html %]/lib/tiny_mce";
|
|
tinyMCE.init({
|
|
mode : "textareas",
|
|
theme : "advanced",
|
|
content_css : "[% interface | html %]/[% theme | html %]/css/tinymce.css",
|
|
plugins : "table,save,advhr,advlink,contextmenu",
|
|
theme_advanced_buttons1 : "save,|,bold,italic,|,cut,copy,paste,|,justifyleft,justifycenter,justifyright,justifyfull,|,formatselect,|,link,unlink,anchor,cleanup,help,code,advhr,",
|
|
theme_advanced_buttons2 : "tablecontrols,|,bullist,numlist,|,outdent,indent,|,undo,redo,|,removeformat,|,visualaid,|,sub,sup,|,charmap",
|
|
// theme_advanced_buttons3 : "",
|
|
theme_advanced_toolbar_location : "top",
|
|
theme_advanced_toolbar_align : "left",
|
|
theme_advanced_path_location : "bottom",
|
|
theme_advanced_resizing : true,
|
|
apply_source_formatting : true
|
|
});
|
|
</script>
|
|
[% END %]
|
|
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|