Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/admin/marc_subfields_structure.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

326 lines
20 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Administration &rsaquo;[% IF ( add_form ) %][% IF ( use_heading_flags_p ) %][% IF ( heading_edit_subfields_p ) %] MARC subfield structure &rsaquo; Edit MARC subfields constraints[% END %][% ELSE %] MARC subfield structure &rsaquo; [% action | html %][% END %][% END %]
[% IF ( delete_confirm ) %] MARC subfield structure &rsaquo; Confirm deletion of subfield [% tagsubfield | html %][% END %][% IF ( delete_confirmed ) %] MARC subfield structure &rsaquo; Subfield deleted[% END %][% IF ( else ) %]MARC subfield structure[% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
</head>
<body id="admin_marc_subfields_structure" class="admin">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'prefs-admin-search.inc' %]
<div id="breadcrumbs">
<a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/admin/admin-home.pl">Administration</a> &rsaquo; <a href="/cgi-bin/koha/admin/biblio_framework.pl">MARC frameworks</a> &rsaquo; <a href="/cgi-bin/koha/admin/marctagstructure.pl?frameworkcode=[% frameworkcode | html %]&amp;searchfield=[% tagfield | uri %]">[% IF ( frameworkcode ) %][% frameworkcode | html %][% ELSE %]Default[% END %] framework structure</a> &rsaquo;
[% IF ( add_form ) %]
[% IF ( use_heading_flags_p ) %]
[% IF ( heading_edit_subfields_p ) %] <a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;frameworkcode=[% frameworkcode | html %]">Tag [% tagfield | html %] subfield structure</a> &rsaquo; Edit subfields constraints
[% END %]
[% ELSE %] <a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;frameworkcode=[% frameworkcode | html %]">Tag [% tagfield | html %] Subfield structure</a> &rsaquo; [% action | html %]
[% END %]
[% END %]
[% IF ( delete_confirm ) %] <a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;frameworkcode=[% frameworkcode | html %]">Tag [% tagfield | html %] Subfield structure</a> &rsaquo; Confirm deletion of subfield [% tagsubfield | html %]
[% END %]
[% IF ( delete_confirmed ) %] <a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;frameworkcode=[% frameworkcode | html %]">Tag [% tagfield | html %] subfield structure</a> &rsaquo; Subfield deleted
[% END %]
[% IF ( else ) %]Tag [% tagfield | html %] Subfield structure[% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% IF ( add_form ) %]
<h1>
[% IF ( use_heading_flags_p ) %]
[% IF ( heading_edit_subfields_p ) %]Tag [% tagfield | html %] Subfield constraints[% END %]
[% ELSE %]
[% action | html %]
[% END %]
</h1>
<form action="[% script_name | html %]" name="Aform" method="post">
<input type="hidden" name="op" value="add_validate" />
<input type="hidden" name="tagfield" value="[% tagfield | html %]" />
<input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]" />
<div id="subfieldtabs" class="toptabs numbered">
<ul>
[% FOREACH loo IN loop %]
[% IF ( loo.new_subfield ) %]
<li><a href="#sub[% loo.urisubfieldcode | html %]field" title="[% loo.liblibrarian | html_entity %]">New</a></li>
[% ELSE %]
<li><a href="#sub[% loo.urisubfieldcode | html %]field" title="[% loo.liblibrarian | html_entity %]">
[% loo.subfieldcode | html %]
</a></li>
[% END %]
[% END %]
</ul>
[% FOREACH loo IN loop %]
<div class="constraints" id="sub[% loo.urisubfieldcode | html %]field">
<h3><a href="#basic[% loo.urisubfieldcode | html %]">Basic constraints</a></h3>
<div id="basic[% loo.urisubfieldcode | html %]">
<fieldset class="rows">
<ol>
[% IF ( subfieldcode == 0 || subfieldcode ) %]
<li><span class="label">Subfield code:</span> [% loo.subfieldcode | html %] <input type="hidden" name="tagsubfield" value="[% loo.subfieldcode | html %]" /></li>
[% ELSE %]
<li><label for="tagsubfield[% loo.row | html %]">Subfield code:</label> <input type="text" id="tagsubfield[% loo.row | html %]" name="tagsubfield" value="[% loo.subfieldcode | html %]" /></li>
[% END %]
<li><label for="liblibrarian[% loo.row | html %]">Text for librarian: </label><input id="liblibrarian[% loo.row | html %]" type="text" name="liblibrarian" value="[% loo.liblibrarian | html_entity %]" size="40" maxlength="80" /></li>
<li><label for="libopac[% loo.row | html %]">Text for OPAC: </label><input type="text" id="libopac[% loo.row | html %]" name="libopac" value="[% loo.libopac | html_entity %]" size="40" maxlength="80" /></li>
<li>
<label for="repeatable[% loo.row | html %]">Repeatable: </label>
[% IF loo.repeatable %]
<input type="checkbox" id="repeatable[% loo.row | html %]" name="repeatable[% loo.row | html %]" checked="checked" value="1" />
[% ELSE %]
<input type="checkbox" id="repeatable[% loo.row | html %]" name="repeatable[% loo.row | html %]" value="1" />
[% END %]
</li>
<li>
<label for="mandatory[% loo.row | html %]">Mandatory: </label>
[% IF loo.mandatory %]
<input type="checkbox" id="mandatory[% loo.row | html %]" name="mandatory[% loo.row | html %]" checked="checked" value="1" />
[% ELSE %]
<input type="checkbox" id="mandatory[% loo.row | html %]" name="mandatory[% loo.row | html %]" value="1" />
[% END %]
</li>
<li><label for="tab[% loo.row | html %]">Managed in tab: </label>
<select name="tab" tabindex="" size="1" id="tab[% loo.row | html %]">
[%- IF ( loo.tab == -1 ) -%]
<option value="-1" selected="selected">ignore</option>
[%- ELSE -%]
<option value="-1">ignore</option>
[%- END -%]
[%- FOREACH t IN [ '0', '1', '2', '3', '4', '5', '6', '7', '8', '9'] -%]
[%- IF ( loo.tab == t ) -%]
<option value="[%- t | html -%]" selected="selected">[%- t | html -%]</option>
[%- ELSE -%]
<option value="[%- t | html -%]">[%- t | html -%]</option>
[%- END -%]
[%- END -%]
[%- IF ( loo.tab == 10 ) -%]
<option value="10" selected="selected">items (10)</option>
[%- ELSE -%]
<option value="10">items (10)</option>
[%- END -%]
</select>
(ignore means that the subfield does not display in the record editor)
</li>
</ol>
</fieldset>
</div>
<h3><a href="#advanced[% loo.urisubfieldcode | html %]">Advanced constraints</a></h3>
<div id="advanced[% loo.urisubfieldcode | html %]">
<fieldset class="rows">
<ol><li><label for="defaultvalue[% loo.row | html %]">Default value:</label>
<input type="text" name="defaultvalue" id="defaultvalue[% loo.row | html %]" value="[% loo.defaultvalue | html %]" /></li>
<li><label for="maxlength[% loo.row | html %]">Max length:</label><input type="text" id="maxlength[% loo.row | html %]" name="maxlength" value="[% loo.maxlength | html %]" size="4" /> (see online help)</li>
<li><input type="hidden" id="hidden-[% loo.row | html %]" name="hidden" value="[% loo.hidden | html %]" />
<label for="hidden[% loo.row | html %]" style="float: none;">Visibility: </label>
<input type="checkbox" id="hidden_opac_[% loo.row | html %]" class="inclusive_[% loo.row | html %]" name="hidden_opac_[% loo.row | html %]"/>
<label for="hidden_opac_[% loo.row | html %]" style="float: none;">OPAC</label>
<input type="checkbox" id="hidden_intranet_[% loo.row | html %]" class="inclusive_[% loo.row | html %]" name="hidden_intranet_[% loo.row | html %]"/>
<label for="hidden_intranet_[% loo.row | html %]" style="float: none;">Intranet</label>
<input type="checkbox" id="hidden_editor_[% loo.row | html %]" class="inclusive_[% loo.row | html %]" name="hidden_editor_[% loo.row | html %]"/>
<label for="hidden_editor_[% loo.row | html %]" style="float: none;">Editor</label>
<input type="checkbox" id="hidden_collapsed_[% loo.row | html %]" class="inclusive_[% loo.row | html %]" name="hidden_collapsed_[% loo.row | html %]"/>
<label for="hidden_collapsed_[% loo.row | html %]" style="float: none;">Collapsed</label>
<input type="checkbox" id="hidden_flagged_[% loo.row | html %]" name="flagged_[% loo.row | html %]"/>
<label for="hidden_flagged_[% loo.row | html %]" style="float: none;">Flagged</label>
</li>
<li>
<label for="isurl[% loo.row | html %]">Is a URL:</label>
[% IF loo.isurl %]
<input type="checkbox" id="isurl[% loo.row | html %]" name="isurl[% loo.row | html %]" checked="checked" value="1" />
[% ELSE %]
<input type="checkbox" id="isurl[% loo.row | html %]" name="isurl[% loo.row | html %]" value="1" />
[% END %]
(if checked, it means that the subfield is a URL and can be clicked)
</li>
<li><label for="link[% loo.row | html %]">Link:</label><input type="text" id="link[% loo.row | html %]" name="link" value="[% loo.link | html %]" size="10" maxlength="80" /> (e.g., Title or Local-Number) <span class="error"><em>NOTE: If you change this value you must ask your administrator to run misc/batchRebuildBiblioTables.pl.</em></span></li>
<li>
<label for="kohafield[% loo.row | html %]">Koha link:</label>
<!-- This select should be DISABLED; value is submitted by the following hidden input -->
<select name="kohafield" id="kohafield[% loo.row | html %]" size="1" disabled>
[% FOREACH value IN loo.kohafields %]
[% IF ( value == loo.kohafield ) %]
<option value="[% value | html %]" selected="selected">[% value | html %]</option>
[% ELSE %]
<option value="[% value | html %]">[% value | html %]</option>
[% END %]
[% END %]
</select>
<!-- Do NOT remove this next hidden input! We need it to save kohafield. -->
<input type="hidden" name="kohafield" value="[% loo.kohafield | html %]"/>
</li>
</ol>
</fieldset>
</div>
<h3><a href="#oth[% loo.urisubfieldcode | html %]">Other options (choose one)</a></h3>
<div id="oth[% loo.urisubfieldcode | html %]">
<fieldset class="rows">
<ol>
<li>
<label for="authorised_value[% loo.row | html %]">Authorized value:</label>
<select name="authorised_value" id="authorised_value[% loo.row | html %]" size="1">
<option value=""></option>
[% FOREACH value IN loo.authorised_values %]
[% IF ( value == loo.authorised_value ) %]
<option value="[% value | html %]" selected="selected">[% value | html %]</option>
[% ELSE %]
<option value="[% value | html %]">[% value | html %]</option>
[% END %]
[% END %]
</select>
</li>
<li>
<label for="authtypecode[% loo.row | html %]">Thesaurus:</label>
<select name="authtypecode" id="authtypecode[% loo.row | html %]" size="1">
[% FOREACH value IN loo.authtypes %]
[% IF ( value == loo.authtypecode ) %]
<option value="[% value | html %]" selected="selected">[% value | html %]</option>
[% ELSE %]
<option value="[% value | html %]">[% value | html %]</option>
[% END %]
[% END %]
</select>
</li>
<li>
<label for="value_builder[% loo.row | html %]">Plugin:</label>
<select name="value_builder" id="value_builder[% loo.row | html %]" size="1">
[% FOREACH value IN loo.value_builders %]
[% IF ( value == loo.value_builder ) %]
<option value="[% value | html %]" selected="selected">[% value | html %]</option>
[% ELSE %]
<option value="[% value | html %]">[% value | html %]</option>
[% END %]
[% END %]
</select>
</li>
</ol>
</fieldset>
</div>
</div><!-- /content_sub -->
[% END %]
</div><!-- /content -->
<fieldset class="action">
<input type="submit" value="Save changes" /> <a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?tagfield=[% tagfield | uri %]&amp;frameworkcode=[% frameworkcode | html %]" class="cancel">Cancel</a>
</fieldset>
</form>
[% END %]
[% IF ( delete_confirm ) %]
<div class="dialog alert">
<h3>Confirm deletion of subfield [% tagsubfield | html %]?</h3>
<p>Subfield: [% tagsubfield | html %]</p>
<p>Description: [% liblibrarian | html_entity %]</p>
<form action="[% delete_link | html %]" method="post"><input type="hidden" name="op" value="delete_confirmed" />
<input type="hidden" name="searchfield" value="[% searchfield | html %]" />
<input type="hidden" name="tagfield" value="[% tagfield | html %]" />
<input type="hidden" name="tagsubfield" value="[% tagsubfield | html %]" />
<input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]" />
<button type="submit" class="approve"><i class="fa fa-fw fa-check"></i> Yes, delete this subfield</button>
</form>
<form action="[% script_name | html %]" method="post">
<input type="hidden" name="searchfield" value="[% searchfield | html %]" />
<input type="hidden" name="tagfield" value="[% tagfield | html %]" />
<input type="hidden" name="tagsubfield" value="[% tagsubfield | html %]" />
<input type="hidden" name="frameworkcode" value="[% frameworkcode | html %]" />
<button type="submit" class="deny"><i class="fa fa-fw fa-remove"></i> No, do not delete</button>
</form>
</div>
[% END %]
[% IF ( delete_confirmed ) %]
<h3>Data deleted</h3>
<form action="[% script_name | html %]" method="post">
<input type="hidden" name="tagfield" value="[% tagfield | html %]" />
<input type="submit" value="OK" />
</form>
[% END %]
[% IF ( else ) %]
<h1>MARC subfield structure admin for [% tagfield | html %] [% IF ( frameworkcode ) %](framework [% frameworkcode | html %])[% ELSE %](default framework)[% END %]</h1>
<p>This screen shows the subfields associated with the selected tag. You can edit subfields or add a new one by clicking on edit.</p>
<p>The column 'Koha field' shows that the subfield is linked with a Koha field.</p>
<table>
<tr>
<th>Subfield</th>
<th>Text</th>
<th>Constraints</th>
<th>Actions</th>
</tr>
[% FOREACH loo IN loop %]
<tr>
<td><a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&amp;tagfield=[% loo.tagfield | html %]&amp;frameworkcode=[% frameworkcode | html %]#sub[% loo.tagsubfield | html %]field">[% loo.tagsubfield | html %]</a></td>
<td>
[% IF ( loo.subfield_ignored ) %]
<i>[% loo.liblibrarian | html_entity %]</i>
[% ELSE %]
[% loo.liblibrarian | html_entity %]
[% END %]
</td>
<td>
[% IF ( loo.subfield_ignored ) %]
<i>subfield ignored</i>
[% ELSE %]
Tab:[% loo.tab | html %],
[% IF ( loo.kohafield ) %] | Koha field: [% loo.kohafield | html %], [% END %]
[% IF ( loo.repeatable ) %]Repeatable, [% ELSE %]Not repeatable,[% END %]
[% IF ( loo.mandatory ) %]Mandatory, [% ELSE %]Not mandatory,[% END %]
[% IF ( loo.seealso ) %] | See Also: [% loo.seealso | html %],[% END %]
[% IF ( loo.hidden ) %]hidden,[% END %]
[% IF ( loo.isurl ) %]is a URL,[% END %]
[% IF ( loo.authorised_value ) %] | Auth value:[% loo.authorised_value | html %],[% END %]
[% IF ( loo.authtypecode ) %] | Authority:[% loo.authtypecode | html %],[% END %]
[% IF ( loo.value_builder ) %] | Plugin:[% loo.value_builder | html %],[% END %]
[% IF ( loo.link ) %] | Link:[% loo.link | html %],[% END %]
[% END %]
</td>
<td class="actions">
<a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&amp;tagfield=[% loo.tagfield | html %]&amp;frameworkcode=[% frameworkcode | html %]#sub[% loo.tagsubfield | html %]field" class="btn btn-default btn-xs"><i class="fa fa-pencil"></i> Edit</a>
<a href="/cgi-bin/koha/admin/marc_subfields_structure.pl?op=delete_confirm&amp;tagfield=[% loo.tagfield | html %]&amp;tagsubfield=[% loo.tagsubfield | html %]&amp;frameworkcode=[% frameworkcode | html %]" class="btn btn-default btn-xs"><i class="fa fa-trash"></i> Delete</a>
</td>
</tr>
[% END %]
</table>
<form action="[% script_name | html %]" method="get">
<fieldset class="action"><input type="hidden" name="op" value="add_form" />
<input type="hidden" name="tagfield" value="[% edit_tagfield | html %]" />
<input type="hidden" name="frameworkcode" value="[% edit_frameworkcode | html %]" />
<input type="submit" value="Edit subfields" />
<a class="cancel" href="marctagstructure.pl?searchfield=[% tagfield | uri %]&amp;frameworkcode=[% frameworkcode | html %]">Cancel</a>
</fieldset>
</form>
[% END %]
</div>
</div>
<div class="yui-b noprint">
[% INCLUDE 'admin-menu.inc' %]
</div>
</div>
[% MACRO jsinclude BLOCK %]
[% Asset.js("js/admin-menu.js") | $raw %]
[% Asset.js("js/marc_subfields_structure.js") | $raw %]
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink