Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/admin/currency.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

268 lines
11 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE KohaDates %]
[% USE ColumnsSettings %]
[% USE HtmlTags %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Administration &rsaquo; Currencies &amp; Exchange rates &rsaquo;
[% IF op == 'add_form' %][% IF currency %]Modify currency '[% currency.currency | html %]'[% ELSE %]New currency[% END %][% END %]
[% IF op == 'delete_confirm' %]Confirm deletion of currency '[% currency.currency | html %]'[% END %]
[% IF op == 'list' %]Currencies[% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
[% Asset.css("css/datatables.css") | $raw %]
</head>
<body id="admin_currency" class="admin">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'currencies-admin-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> &rsaquo; <a href="/cgi-bin/koha/admin/currency.pl">Currencies &amp; Exchange rates</a> &rsaquo; [% IF op == 'add_form' %][% IF currency %]Modify currency '[% currency.currency | html %]'[% ELSE %]New currency[% END %][% END %]
[% IF op == 'delete_confirm' %]Confirm deletion of currency [% currency.currency | $HtmlTags tag='span' attributes=>'class="ex"' | html %]
[% ELSIF op == 'list' %]Currencies
[% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF op == 'list' %]
<div id="toolbar" class="btn-toolbar">
<a class="btn btn-default btn-sm" id="newcurrency" href="/cgi-bin/koha/admin/currency.pl?op=add_form"><i class="fa fa-plus"></i> New currency</a>
</div>
[% END %]
[% FOR m IN messages %]
<div class="dialog [% m.type | html %]">
[% SWITCH m.code %]
[% CASE 'error_on_update' %]
An error occurred when updating this currency. Perhaps it already exists.
[% CASE 'error_on_insert' %]
An error occurred when adding this currency. The currency code might already exist.
[% CASE 'error_on_delete' %]
An error occurred when deleting this currency. Check the logs.
[% CASE 'success_on_update' %]
Currency updated successfully.
[% CASE 'success_on_insert' %]
Currency added successfully.
[% CASE 'success_on_delete' %]
Currency deleted successfully.
[% CASE %]
[% m.code | html %]
[% END %]
</div>
[% END %]
[% IF op == 'add_form' %]
<form action="/cgi-bin/koha/admin/currency.pl" name="Aform" method="post" class="validated">
<input type="hidden" name="op" value="add_validate" />
<fieldset class="rows">
<legend>
[% IF currency %]
Modify currency
[% ELSE %]
New currency
[% END %]
</legend>
<ol>
<li>
[% IF currency %]
<span class="label">Currency: </span>
<input type="hidden" name="is_a_modif" value="1" />
<input type="hidden" name="currency_code" id="currency" value="[% currency.currency | html %]" />[% currency.currency | html %]
[% ELSE %]
<label for="currency_code" class="required">Currency: </label>
<input type="text" name="currency_code" id="currency_code" size="50" maxlength="50" required="required" class="required" /> <span class="required">Required</span>
[% END %]
</li>
<li>
<label for="rate" class="required">Rate: </label>
<input type="text" name="rate" id="rate" size="10" maxlength="10" value="[% currency.rate | html %]" required="required" class="required" /> <span class="required">Required</span>
</li>
<li>
<label for="symbol" class="required">Symbol: </label>
<input type="text" name="symbol" id="symbol" size="5" maxlength="5" value="[% currency.symbol | html %]" required="required" class="required" /> <span class="required">Required</span>
</li>
<li>
<label for="isocode">ISO code: </label>
<input type="text" name="isocode" id="isocode" size="5" maxlength="5" value="[% currency.isocode | html %]" />
</li>
<li>
<span class="label">Last updated: </span>[% currency.timestamp | $KohaDates %]
</li>
<li>
<label for="p_sep_by_space">Space separation between symbol and value: </label>
[% IF currency.p_sep_by_space %]
<input type="checkbox" id="p_sep_by_space" name="p_sep_by_space" value="1" checked="checked" />
[% ELSE %]
<input type="checkbox" id="p_sep_by_space" name="p_sep_by_space" value="1" />
[% END %]
</li>
<li>
<label for="active">Active: </label>
[% IF currency.active %]
<input type="checkbox" id="active" name="active" value="1" checked="checked" />
[% ELSE %]
<input type="checkbox" id="active" name="active" value="1" />
[% END %]
<span id="hint" class="hint"></span>
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="submit" value="Submit" />
<a href="/cgi-bin/koha/admin/currency.pl" class="cancel">Cancel</a>
</fieldset>
</form>
[% END %]
[% IF op =='delete_confirm' %]
[% IF nb_of_orders or nb_of_vendors %]
<div class="dialog alert">
<h3>Cannot delete currency [% currency.currency | $HtmlTags tag='span' attributes=>'class="ex"' | html %]</h3>
<p>
[% IF nb_of_orders %]
This currency is used by [% nb_of_orders | html %] orders.
[% ELSIF nb_of_vendors %]
This currency is used by [% nb_of_vendors | html %] vendors.
[% END %]
Deletion not possible
</p>
<form action="/cgi-bin/koha/admin/currency.pl" method="post">
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> OK</button>
</form>
</div>
[% ELSE %]
<div class="dialog alert">
<h3>Confirm deletion of currency [% currency.currency | $HtmlTags tag='span' attributes=>'class="ex"' | html %]</h3>
<table>
<tr><th>Currency</th>
<td>[% currency.currency | html %]</td>
</tr>
<tr><th>Rate</th>
<td>[% currency.rate | html %]</td>
</tr>
</table>
<form action="/cgi-bin/koha/admin/currency.pl" method="post">
<input type="hidden" name="op" value="delete_confirmed" />
<input type="hidden" name="currency_code" value="[% currency.currency | html %]" />
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> Yes, delete this currency</button>
</form>
<form action="/cgi-bin/koha/admin/currency.pl" method="post">
<button type="submit" class="deny"><i class="fa fa-fw fa-remove"></i> No, do not delete</button>
</form>
</div>
[% END %]
[% END %]
[% IF op == 'list' %]
<h2>Currencies and exchange rates</h2>
[% IF currencies and no_active_currency %]
<div class="dialog alert"><h3>No active currency is defined</h3><p>Please edit one currency and mark it as active.</p></div>
[% END %]
[% IF searchfield %]
You searched for [% searchfield | html %]</span>
[% END %]
<table id='currencies-table'>
<thead>
<tr>
<th>Currency</th>
<th>Rate</th>
<th>Symbol</th>
<th>ISO code</th>
<th class="title-string">Last updated</th>
<th>Active</th>
<th>Archived</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
[% FOREACH currency IN currencies %]
<tr>
<td>[% currency.currency | html %]</td>
<td>[% currency.rate | html %]</td>
<td>[% currency.symbol | html %]</td>
<td>[% currency.isocode | html %]</td>
<td><span title="[% currency.timestamp | html %]">[% currency.timestamp | $KohaDates %]</span></td>
<td style="color:green;">[% IF currency.active %]✓[% END %]</td>
<td>[% IF currency.archived %]Yes[% END %]</td>
<td class="actions">
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/currency.pl?op=add_form&amp;currency_code=[% currency.currency | html %]"><i class="fa fa-pencil"></i> Edit</a>
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/currency.pl?op=delete_confirm&amp;currency_code=[% currency.currency | html %]"><i class="fa fa-trash"></i> Delete</a>
</td>
</tr>
[% END %]
</tbody>
</table>
<br />
<div class="hint">
<p>
When importing MARC files via the staging tools, the tool will attempt to find and use the price of the currently active currency.
</p>
<p>
Some examples of compatible price fields include "$9.99", "9.99 USD", "$9.99 USD", "9.99 USD (10.00 CAN)", "$9.99 USD (paperback)".
These examples assume USD is the active currency.
</p>
</div>
[% END %]
</div>
</div>
<div class="yui-b">
[% INCLUDE 'admin-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% Asset.js("js/admin-menu.js") | $raw %]
[% INCLUDE 'datatables.inc' %]
[% INCLUDE 'columns_settings.inc' %]
<script type="text/javascript">
function check_currency(val) {
if ( val == 1.0 ) {
$("#active").prop('disabled', false);
$("#hint").html("");
} else {
$("#active").prop('checked', false);
$("#active").prop('disabled', true);
$("#hint").html(_("The active currency must have a rate of 1.0"));
}
}
$(document).ready(function() {
columns_settings = [% ColumnsSettings.GetColumns( 'admin', 'currency', 'currencies-table', 'json' ).raw %]
var issuest = KohaTable("currencies-table", {
dom: 'B<"clearfix">t',
"columnDefs": [
{ "aTargets": [ -1 ], "bSortable": false, "bSearchable": false },
{ "sType": "title-string", "aTargets" : [ "title-string" ] }
],
}, columns_settings );
// prevents users to check active with a currency != 1
$("#rate").keyup(function() {
check_currency( $(this).val() );
});
check_currency( $("#rate").val() );
$("#currency_code").on("blur",function(){
toUC(this);
});
});
</script>
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink