Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-MARCdetail.tt
Jonathan Druart f94162564a Bug 18726: Fix XSS at the OPAC - biblionumber 
The biblionumber parameter is sent by the user, we must escape all of
them to avoid XSS.

Fixes: Cross-site scripting OPAC pages

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00

210 lines
11 KiB
Text
Raw Blame History

[% USE Koha %]
[% INCLUDE 'doc-head-open.inc' %]
<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; MARC details for record no. [% biblionumber | html %]</title>
[% INCLUDE 'doc-head-close.inc' %]
[% BLOCK cssinclude %][% END %]
</head>
[% INCLUDE 'bodytag.inc' bodyid='opac-marcdetail' bodyclass='scrollto' %]
[% INCLUDE 'masthead.inc' %]
<div class="main">
<ul class="breadcrumb">
<li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
<li><a href="#">MARC view: [% bibliotitle %]</a></li>
</ul>
<div class="container-fluid">
<div class="row-fluid">
<div class="span9">
<div id="opac-detail" class="maincontent">
<div id="usermarcdetail">
<div id="catalogue_detail_biblio">
<div id="views">
<span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Normal view</a></span>
<span class="view current-view"><span id="MARCview">MARC view</span></span>
[% IF ( ISBD ) %]<span class="view"><a id="ISBDview" href="/cgi-bin/koha/opac-ISBDdetail.pl?biblionumber=[% biblionumber | html %]">ISBD view</a></span>[% END %]
</div>
<h1 class="title">[% bibliotitle %] (Record no. [% biblionumber | html %])</h1>
[% IF ( OPACXSLTDetailsDisplay ) %]
<div id="switchview_div">[ <a id="switchview" href="/cgi-bin/koha/opac-showmarc.pl?id=[% biblionumber | html %]&amp;viewas=html">view plain</a> ]</div>
<div id="plainmarc"></div>
[% END %]
<div id="labeledmarc">
<table id="marc" class="table table-bordered table-striped">
[% FOREACH tab0X IN tab0XX %]
<tr><th colspan="2">[% tab0X.tag %]</th></tr>
[% FOREACH subfiel IN tab0X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab1X IN tab1XX %]
<tr><th colspan="2">[% tab1X.tag %]</th></tr>
[% FOREACH subfiel IN tab1X.subfield %]
<tr>
<td >[% subfiel.marc_lib %]</td>
<td >[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab2X IN tab2XX %]
<tr><th colspan="2">[% tab2X.tag %]</th></tr>
[% FOREACH subfiel IN tab2X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab3X IN tab3XX %]
<tr><th colspan="2">[% tab3X.tag %]</th></tr>
[% FOREACH subfiel IN tab3X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab4X IN tab4XX %]
<tr><th colspan="2" >[% tab4X.tag %]</th></tr>
[% FOREACH subfiel IN tab4X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab5X IN tab5XX %]
<tr><th colspan="2">[% tab5X.tag %]</th></tr>
[% FOREACH subfiel IN tab5X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab6X IN tab6XX %]
<tr><th colspan="2">[% tab6X.tag %]</th></tr>
[% FOREACH subfiel IN tab6X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab7X IN tab7XX %]
<tr><th colspan="2">[% tab7X.tag %]</th></tr>
[% FOREACH subfiel IN tab7X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab8X IN tab8XX %]
<tr><th colspan="2">[% tab8X.tag %]</th></tr>
[% FOREACH subfiel IN tab8X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
[% FOREACH tab9X IN tab9XX %]
<tr><th colspan="2">[% tab9X.tag %]</th></tr>
[% FOREACH subfiel IN tab9X.subfield %]
<tr>
<td>[% subfiel.marc_lib %]</td>
<td>[% subfiel.marc_value %]</td>
</tr>
[% END %]
[% END %]
</table>
</div>
[% IF ( item_header_loop ) %]
<table id="items" class="table table-bordered table-condensed table-striped">
<caption>Holdings</caption>
<tr>
[% FOREACH header IN item_header_loop %]
<th>[% header %]</th>
[% END %]
</tr>
[% FOREACH item IN item_loop %]
<tr>
[% FOREACH sf_code IN item_subfield_codes %]
<td>[% item.$sf_code %]</td>
[% END %]
</tr>
[% END %]
</table>
[% ELSE %]
<p>No items available.</p>
[% END %]
</div> <!-- / #catalogue_detail_biblio -->
</div> <!-- / #usermarcdetail -->
</div> <!-- / #opac-detail -->
</div> <!-- / .span9 -->
<div class="span3">
[% INCLUDE 'opac-detail-sidebar.inc' %]
</div>
</div> <!-- / .row-fluid -->
</div> <!-- / .container-fluid -->
</div> <!-- / .main -->
[% INCLUDE 'opac-bottom.inc' %]
[% BLOCK jsinclude %]
<script type="text/javascript">
//<![CDATA[
[% IF ( OPACXSLTDetailsDisplay ) %]
$(document).ready(function(){
$.ajaxSetup({
error:function(x,e){
switch (x.status) {
case 200: break;
default:
$('#switchview').parent().html("<div class=\"dialog alert\">"+_("Sorry, plain view is temporarily unavailable")+".</div>");
$("#plainmarc").hide();
$("#labeledmarc").show();
break;
}
}
});
var loaded = 0;
var toggle = 0;
$("#switchview").on("click",function(e){
e.preventDefault();
if( toggle == 0){
$(this).text(_("view labeled"));
$("#labeledmarc").hide();
if(!loaded){
$("#plainmarc").show().html("<div style=\"margin:1em;padding:1em;border:1px solid #EEE;font-size:150%;\"><img src=\"[% interface %]/[% theme %]/images/loading.gif\" /> "+_("Loading")+"...</div>").load("/cgi-bin/koha/opac-showmarc.pl","id=[% biblionumber | html %]&viewas=html");
loaded = 1;
} else {
$("#plainmarc").show();
}
toggle = 1;
} else {
$(this).text(_("view plain"));
$("#labeledmarc").show();
$("#plainmarc").hide();
toggle = 0;
}
});
});
[% END %]
//]]>
</script>
[% END %]
View git blame Copy permalink