Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/circ/circulation_batch_checkouts.tt
Jonathan Druart dcd1f5d48c Bug 13618: Add html filters to all the variables 
Here we go, next step then.
As we did not fix the performance issue when autofiltering
the variables (see bug 20975), the only solution we have is to add the
filters explicitely.

This patch has been autogenerated (using add_html_filters.pl, see next
pathces) and add the html filter to all the variables displayed in the
template.
Exceptions are made (using the new 'raw' TT filter) to the variable we
already listed in the previous versions of this patch.

To test:
- Use t/db_dependent/Koha/Patrons.t to populate your DB with autogenerated
data which contain <script> tags

- Remove them from borrower_debarments.comments (there are allowed here)
update  borrower_debarments set comment="html tags possible here";

- From the interface hit page and try to catch alert box.
If you find one it means you find a possible XSS.
To know where it comes from:
* note the exact URL where you found it
* note the alert box content
* Dump your DB and search for the string in the dump to identify its
location (for instance table.field)

Next:
* Ideally we would like to use the raw filter when it is not necessary
to HTML escape the variables (in big loop for instance)
* Provide a QA script to catch missing filters (we want html, uri, url
or raw, certainly others that I am forgetting now)
* Replace the html filters with uri when needed (!)

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-08-17 15:55:05 +00:00

320 lines
16 KiB
Text
Raw Blame History

[% USE raw %]
[% USE Asset %]
[% USE Branches %]
[% USE KohaDates %]
[% USE Price %]
[% USE AuthorisedValues %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
[% SET destination = "circ" %]
<title>Koha &rsaquo; Circulation
[% IF patron %]
&rsaquo; Batch check out &rsaquo; Issuing items to [% INCLUDE 'patron-title.inc' invert_name = 1 no_html = 1 %]
[% END %]
</title>
[% INCLUDE 'doc-head-close.inc' %]
[% Asset.css("css/datatables.css") | $raw %]
</head>
<body id="circ_circulation_batch_checkouts" class="circ">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'circ-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/circ/circulation-home.pl">Circulation</a> &rsaquo;
[% IF patron %]
<a href="/cgi-bin/koha/circ/circulation.pl">Batch check out</a> &rsaquo; [% INCLUDE 'patron-title.inc' %]
[% ELSE %]
Batch check out
[% END %]
</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<div class="yui-g">
[% IF patron %]
[% INCLUDE 'members-toolbar.inc' %]
[% END %]
[% IF patron and not batch_allowed %]
<div class="dialog alert">You are not allowed to use batch checkout for this patron</div>
[% ELSIF patron and noissues and not checkout_infos %]
<div class="dialog alert">
Cannot check out!
[% IF charges %]
<span class="circ-hlt">Checkouts are BLOCKED because fine balance is OVER THE LIMIT.</span>
[% END %]
[% IF charges_guarantees %]
<li>
<span class="circ-hlt">Fees &amp; Charges:</span> Patron's guarantees collectively owe [% chargesamount_guarantees | $Price | html %].
</li>
<li>
<span class="circ-hlt">Checkouts are BLOCKED because fine balance is OVER THE LIMIT.</span>
</li>
[% END %]
</div>
[% ELSIF patron and not checkout_infos %]
<form method="post" enctype="multipart/form-data" action="/cgi-bin/koha/circ/circulation.pl">
<fieldset id="circ_circulation_issue">
<label for="barcode">Checking out to [% INCLUDE 'patron-title.inc' %]</label>
<fieldset class="rows">
<legend>Use a file</legend>
<ol>
<li><label for="uploadfile">File: </label> <input type="file" id="uploadfile" name="uploadfile" /></li>
</ol>
</fieldset>
<fieldset class="rows">
<legend>Or list barcodes one by one</legend>
<ol>
<li>
<label for="barcodelist">Barcode list (one barcode per line): </label>
<textarea rows="10" cols="30" id="barcodelist" name="barcodelist"></textarea>
</li>
</ol>
</fieldset>
<input type="hidden" name="op" value="show" />
<fieldset class="action">
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% patron.borrowernumber | html %]" />
<input type="hidden" name="branch" value="[% branch | html %]" />
<input type="hidden" name="batch" value="1" />
<input type="submit" value="Check out" class="button" />
</fieldset>
</fieldset>
</form>
[% ELSIF patron %]
[% IF confirmation_needed && CAN_user_circulate_force_checkout %]
<h3>Batch checkout confirmation [% IF patron %] for [% INCLUDE 'patron-title.inc' invert_name = 1 %] [% END %]</h3>
<form method="post" action="/cgi-bin/koha/circ/circulation.pl" id="mainform" name="mainform" autocomplete="off">
[% ELSE %]
<h3>Batch checkout information [% IF patron.borrowernumber %] for [% INCLUDE 'patron-title.inc' invert_name = 1 %] |[% batch | html %]|[% END %]</h3>
[% END %]
<table id="checkout_infos">
<thead>
<tr>
[% IF confirmation_needed && CAN_user_circulate_force_checkout %]
<th class="NoSort"></th>
[% END %]
<th>Barcode</th>
<th class="anti-the">Title</th>
<th>Information</th>
</tr>
</thead>
<tbody>
[% FOR checkout_info IN checkout_infos %]
<tr>
[% IF confirmation_needed && CAN_user_circulate_force_checkout %]
<td>
[% IF checkout_info.NEEDSCONFIRMATION %]
<input type="checkbox" name="barcodes" value="[% checkout_info.barcode | html %]" checked="checked" />
[% END %]
</td>
[% END %]
<td>[% checkout_info.barcode | html %]</td>
<td>
<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% checkout_info.biblio.biblionumber | html %]&amp;type=intra"><strong>[% checkout_info.biblio.title | html %][% FOREACH subtitle IN checkout_info.biblio.subtitles %] [% subtitle.subfield | html %][% END %]</strong></a>[% IF checkout_info.biblio.author %], by [% checkout_info.biblio.author | html %][% END %][% IF ( checkout_info.item.itemnotes ) %]- <span class="circ-hlt">[% checkout_info.item.itemnotes | html %]</span>[% END %] <a href="/cgi-bin/koha/catalogue/moredetail.pl?biblionumber=[% checkout_info.biblio.biblionumber | html %]&amp;itemnumber=[% checkout_info.item.itemnumber | html %]#item[% checkout_info.item.itemnumber | html %]">[% checkout_info.item.barcode | html %]</a>
</td>
<td>
[% IF checkout_info.NEEDSCONFIRMATION %]
<ul class="fa-ul warn">
[% IF checkout_info.AGE_RESTRICTION %]
<li><i class="fa fa-li fa-warning"></i>Age restriction [% checkout_info.AGE_RESTRICTION | html %].</li>
[% END %]
[% IF checkout_info.RENEW_ISSUE %]
<li><i class="fa fa-li fa-warning"></i>This item is currently checked out to this patron. Renew?</li>
[% END %]
[% IF checkout_info.RESERVE_WAITING %]
<li><i class="fa fa-li fa-warning"></i>This item is waiting for another patron.</li>
[% END %]
[% IF checkout_info.RESERVED %]
<li><i class="fa fa-li fa-warning"></i>This item is on hold for another patron.</li>
[% END %]
[% IF checkout_info.ISSUED_TO_ANOTHER %]
<li><i class="fa fa-li fa-warning"></i>This item is checked out to another patron.
[% IF CAN_user_circulate_force_checkout %]
Check in and check out?
[% END %]</li>
[% END %]
[% IF checkout_info.TOO_MANY %]
<li><i class="fa fa-li fa-warning"></i>Too many checked out.</li>
[% END %]
[% IF checkout_info.BORRNOTSAMEBRANCH %]
<li><i class="fa fa-li fa-warning"></i>This patron is from a different library ([% Branches.GetName( checkout_info.BORRNOTSAMEBRANCH ) | html %]).</li>
[% END %]
[% IF checkout_ino.PATRON_CANT %]
<li><i class="fa fa-li fa-warning"></i>This patron can't check out this item per library circulation policy.</li>
[% END %]
[% IF checkout_info.NOT_FOR_LOAN_FORCING %]
[% IF checkout_info.itemtype_notforloan %]
<li><i class="fa fa-li fa-warning"></i>Item type is normally not for loan.</li>
[% ELSIF checkout_info.item_notforloan %]
[% item_notforloan_lib = AuthorisedValues.GetByCode( authvalcode_notforloan, checkout_info.item_notforloan, 0 ) | html %]
<li><i class="fa fa-li fa-warning"></i>Item is normally not for loan [% IF item_notforloan_lib %]([% item_notforloan_lib | html %])[% END %].</li>
[% END %]
[% END %]
[% IF checkout_info.USERBLOCKEDOVERDUE %]
<li><i class="fa fa-li fa-warning"></i>Patron has [% checkout_info.USERBLOCKEDOVERDUE | html %] overdue item(s).</li>
[% END %]
[% IF checkout_info.ITEM_LOST %]
<li><i class="fa fa-li fa-warning"></i>This item has been lost with a status of "[% checkout_info.ITEM_LOST | html %]."</li>
[% END %]
[% IF checkout_info.HIGHHOLDS %]
<li><i class="fa fa-li fa-warning"></i>High demand item. Loan period shortened to [% checkout_info.HIGHHOLDS.duration | html %] days (due [% checkout_info.HIGHHOLDS.returndate | html %]).</li>
[% END %]
[% IF checkout_info.HIGHHOLDS %] <!-- FIXME -->
<script type="text/javascript">
$(document).ready(function() {
$("input[name=duedatespec]:hidden").val('[% checkout_info.HIGHHOLDS.returndate | html %]');
});
</script>
[% END %]
[% IF NOT checkout_info.IMPOSSIBLE && ( CAN_user_circulate_force_checkout or checkout_info.HIGHHOLDS ) %]
[% IF checkout_info.RESERVED || checkout_info.RESERVE_WAITING %] <!-- arbitrary choice, revert the reserve is not possible-->
<li><i class="fa fa-li fa-warning"></i>This item is on hold for another patron. The hold will be overridden, but not cancelled.</li>
[% END %]
[% END %]
[% IF checkout_info.PREVISSUE %]
<li>This item has previously been checked out to this patron.</li>
[% END %]
</ul>
[% END %]
[% IF checkout_info.alert.ITEM_LOST || checkout_info.alert.OTHER_CHARGES %]
<ul class="info">
[% IF checkout_info.alert.ITEM_LOST %]
<li>This item has been lost with a status of "[% checkout_info.alert.ITEM_LOST | html %]."</li>
[% END %]
[% IF checkout_info.alert.OTHER_CHARGES %]
<li>The patron has unpaid charges for holds, rentals etc of [% checkout_info.alert.OTHER_CHARGES | html %].</li>
[% END %]
</ul>
[% END %]
[% IF checkout_info.IMPOSSIBLE %]
<ul class="fa-ul error">
[% IF checkout_info.STATS %]
<li><i class="fa fa-li fa-exclamation"></i>Local use recorded.</li>
[% END %]
[% IF checkout_info.NOT_FOR_LOAN %]
[% IF checkout_info.itemtype_notforloan %]
<li><i class="fa fa-li fa-exclamation"></i>Item type not for loan.</li>
[% ELSIF checkout_info.item_notforloan %]
[% item_notforloan_lib = AuthorisedValues.GetByCode( checkout_info.authvalcode_notforloan, checkout_info.item_notforloan, 0 ) | html %]
<li><i class="fa fa-li fa-exclamation"></i>Item not for loan [% IF checkout_info.item_notforloan_lib %]([% checkout_info.item_notforloan_lib | html %])[% END %].</li>
[% END %]
[% END %]
[% IF checkout_info.WTHDRAWN %]
<li><i class="fa fa-li fa-exclamation"></i>Item has been withdrawn.</li>
[% END %]
[% IF checkout_info.RESTRICTED %]
<li><i class="fa fa-li fa-exclamation"></i>Item is restricted.</li>
[% END %]
[% IF checkout_info.GNA %]
<li><i class="fa fa-li fa-exclamation"></i>Patron's address is in doubt.</li>
[% END %]
[% IF checkout_info.CARD_LOST %]
<li><i class="fa fa-li fa-exclamation"></i>Patron's card is lost.</li>
[% END %]
[% IF checkout_info.DEBARRED %]
<li><i class="fa fa-li fa-exclamation"></i>Patron is restricted.</li>
[% END %]
[% IF checkout_info.NO_MORE_RENEWALS %]
<li><i class="fa fa-li fa-exclamation"></i>No more renewals possible.</li>
[% END %]
[% IF checkout_info.EXPIRED %]
<li><i class="fa fa-li fa-exclamation"></i>Patron's card is expired.</li>
[% END %]
[% IF checkout_info.ITEMNOTSAMEBRANCH %]
<li><i class="fa fa-li fa-exclamation"></i>This item belongs to [% Branches.GetName( checkout_info.itemhomebranch ) | html %] and cannot be checked out from this location.</li>
[% END %]
[% IF checkout_info.USERBLOCKEDREMAINING %]
<li><i class="fa fa-li fa-exclamation"></i>Patron has had overdue items and is blocked for [% checkout_info.USERBLOCKEDREMAINING | html %] day(s).</li>
[% END %]
[% IF checkout_info.USERBLOCKEDOVERDUE %]
<li><i class="fa fa-li fa-exclamation"></i>Checkouts are BLOCKED because patron has overdue items.</li>
[% END %]
[% IF checkout_info.TOO_MANY %]
<li><i class="fa fa-li fa-exclamation"></i>Too many checked out.</li>
[% END %]
[% IF checkout_info.UNKNOWN_BARCODE %]
<li><i class="fa fa-li fa-exclamation"></i>The barcode was not found [% checkout_info.barcode | html %].</li>
[% END %]
[% IF checkout_info.DEBT %]
<li><i class="fa fa-li fa-exclamation"></i>The patron has a debt of [% checkout_info.DEBT | $Price | html %].</li> <!-- Need debt_confirmed -->
[% END %]
</p>
[% END %]
[% IF checkout_info.issue.date_due %]
<li>Due on [% checkout_info.issue.date_due | $KohaDates %]</li>
[% END %]
</td>
</tr>
[% END %]
</tbody>
</table>
[% IF confirmation_needed && CAN_user_circulate_force_checkout %]
<fieldset>
<legend>Please confirm checkout</legend>
<input type="hidden" name="borrowernumber" value="[% patron.borrowernumber | html %]" />
<input type="hidden" name="issueconfirmed" value="1" />
<input type="hidden" name="debt_confirmed" value="1" />
<input type="hidden" name="branch" value="[% branch | html %]" />
<input type="hidden" name="batch" value="1" />
<input type="submit" id="checkoutrenew" class="approve" value="Checkout or renew" />
</fieldset>
</form>
[% END %]
[% ELSE %]
<div class="dialog message">This patron does not exist. <a href="/cgi-bin/koha/members/members-home.pl">Find another patron?</a></div>
[% END %]
</div>
</div>
</div>
[% IF patron %]
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
[% END %]
</div>
[% MACRO jsinclude BLOCK %]
[% INCLUDE 'calendar.inc' %]
[% INCLUDE 'datatables.inc' %]
[% Asset.js("lib/jquery/plugins/jquery-ui-timepicker-addon.min.js") | $raw %]
<script type="text/javascript">
$(document).ready(function() {
if($('#barcodelist').length) {
$('#barcodelist').focus();
} else if ($('#checkoutrenew').length) {
$('#checkoutrenew').focus();
}
$("#checkout_infos").dataTable($.extend(true, {}, dataTablesDefaults, {
"sDom": 't',
"aaSorting": [],
"aoColumnDefs": [
{ "bSortable": false, "bSearchable": false, 'aTargets': [ 'NoSort' ] },
{ "sType": "anti-the", "aTargets" : [ "anti-the" ] }
],
"bPaginate": false
}));
});
</script>
[% INCLUDE 'str/members-menu.inc' %]
[% Asset.js("js/members-menu.js") | $raw %]
[% END %]
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink