dcd1f5d48c
Here we go, next step then. As we did not fix the performance issue when autofiltering the variables (see bug 20975), the only solution we have is to add the filters explicitely. This patch has been autogenerated (using add_html_filters.pl, see next pathces) and add the html filter to all the variables displayed in the template. Exceptions are made (using the new 'raw' TT filter) to the variable we already listed in the previous versions of this patch. To test: - Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated data which contain <script> tags - Remove them from borrower_debarments.comments (there are allowed here) update borrower_debarments set comment="html tags possible here"; - From the interface hit page and try to catch alert box. If you find one it means you find a possible XSS. To know where it comes from: * note the exact URL where you found it * note the alert box content * Dump your DB and search for the string in the dump to identify its location (for instance table.field) Next: * Ideally we would like to use the raw filter when it is not necessary to HTML escape the variables (in big loop for instance) * Provide a QA script to catch missing filters (we want html, uri, url or raw, certainly others that I am forgetting now) * Replace the html filters with uri when needed (!) Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
121 lines
4.6 KiB
Text
121 lines
4.6 KiB
Text
[% USE raw %]
|
|
[% USE Asset %]
|
|
[% SET footerjs = 1 %]
|
|
[% USE AuthorisedValues %]
|
|
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>Koha › Administration › Item search fields</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
</head>
|
|
|
|
<body id="admin_itemssearchfields" class="admin">
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'prefs-admin-search.inc' %]
|
|
<div id="breadcrumbs">
|
|
<a href="/cgi-bin/koha/mainpage.pl">Home</a> ›
|
|
<a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> ›
|
|
Item search fields
|
|
</div>
|
|
|
|
<div id="doc3" class="yui-t2">
|
|
<div id="bd">
|
|
<div id="yui-main">
|
|
<div class="yui-b">
|
|
|
|
<div id="toolbar" class="btn-toolbar">
|
|
<a class="btn btn-default btn-sm" id="new_search_field" href="/cgi-bin/koha/admin/items_search_fields.pl"><i class="fa fa-plus"></i> New search field</a>
|
|
</div>
|
|
|
|
[% IF field_added %]
|
|
<div class="dialog message">
|
|
Field successfully added: [% field_added.label | html %]
|
|
</div>
|
|
[% ELSIF field_not_added %]
|
|
<div class="dialog alert">
|
|
<p>Failed to add field. Please make sure the field name doesn't already exist.</p>
|
|
<p>Check logs for more details.</p>
|
|
</div>
|
|
[% ELSIF field_deleted %]
|
|
<div class="dialog message">
|
|
Field successfully deleted.
|
|
</div>
|
|
[% ELSIF field_not_deleted %]
|
|
<div class="dialog alert">
|
|
<p>Failed to delete field.</p>
|
|
<p>Check logs for more details.</p>
|
|
</div>
|
|
[% ELSIF field_updated %]
|
|
<div class="dialog message">
|
|
Field successfully updated: [% field_updated.label | html %]
|
|
</div>
|
|
[% ELSIF field_not_updated %]
|
|
<div class="dialog alert">
|
|
<p>Failed to update field.</p>
|
|
<p>Check logs for more details.</p>
|
|
</div>
|
|
[% END %]
|
|
[% IF fields.size %]
|
|
<div id="search_fields_list">
|
|
<h2>Item search fields</h2>
|
|
|
|
<table id="search_fields_table">
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Label</th>
|
|
<th>MARC field</th>
|
|
<th>MARC subfield</th>
|
|
<th>Authorised values category</th>
|
|
<th>Actions</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
[% FOREACH field IN fields %]
|
|
<tr>
|
|
<td>[% field.name | html %]</td>
|
|
<td>[% field.label | html %]</td>
|
|
<td>[% field.tagfield | html %]</td>
|
|
<td>[% field.tagsubfield | html %]</td>
|
|
<td>[% field.authorised_values_category | html %]</td>
|
|
<td>
|
|
<a class="btn btn-default btn-xs" href="/cgi-bin/koha/admin/items_search_field.pl?name=[% field.name | html %]" title="Edit [% field.name | html %] field"><i class="fa fa-pencil"></i> Edit</a>
|
|
<a class="field-delete btn btn-default btn-xs" href="/cgi-bin/koha/admin/items_search_fields.pl?op=del&name=[% field.name | html %]"><i class="fa fa-trash"></i> Delete</a>
|
|
</td>
|
|
</tr>
|
|
[% END %]
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
[% ELSE %]
|
|
<div class="dialog message">
|
|
There are no item search fields defined.
|
|
</div>
|
|
[% END %]
|
|
|
|
<form id="add_field_form" action="/cgi-bin/koha/admin/items_search_fields.pl" method="POST" class="validated">
|
|
<fieldset class="rows">
|
|
<legend>Add a new field</legend>
|
|
[% INCLUDE 'admin-items-search-field-form.inc' field=undef %]
|
|
<input type="hidden" name="op" value="add" />
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<input type="submit" value="Submit" />
|
|
<a href="#" class="cancel">Cancel</a>
|
|
</fieldset>
|
|
</form>
|
|
|
|
</div>
|
|
</div>
|
|
<div class="yui-b">
|
|
[% INCLUDE 'admin-menu.inc' %]
|
|
</div>
|
|
</div>
|
|
|
|
[% MACRO jsinclude BLOCK %]
|
|
[% Asset.js("js/admin-menu.js") | $raw %]
|
|
<script type="text/javascript">
|
|
var MSG_ITEM_SEARCH_DELETE_CONFIRM = _("Are you sure you want to delete this field?");
|
|
</script>
|
|
[% Asset.js("js/item_search_fields.js") | $raw %]
|
|
[% END %]
|
|
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|