Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members/pay.tt
Amit Gupta feeab2b3a0 Bug 19614: Fix XSS in members/pay.pl 
To Test
1. Hit the page /cgi-bin/koha/members/memberentry.pl
2. Add a text in the field firstname, surname that contains js
3. Save the page.
4. click on fine tab
5. Notice js is execute
6. Apply patch and reload, the js is escaped

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-01-09 16:01:40 -03:00

173 lines
6.9 KiB
Text
Raw Blame History

[% USE Koha %]
[% USE AuthorisedValues %]
[% USE Branches %]
[% USE Price %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patrons &rsaquo; Pay Fines for [% borrower.firstname |html %] [% borrower.surname |html %]</title>
[% INCLUDE 'doc-head-close.inc' %]
<script type="text/javascript" src="[% interface %]/lib/jquery/plugins/jquery.checkboxes.min.js"></script>
<script type= "text/javascript">
//<![CDATA[
function enableCheckboxActions(){
// Enable/disable controls if checkboxes are checked
var checkedBoxes = $("input.cb:checked");
if ($(checkedBoxes).size()) {
$("#payselected").prop("disabled",false);
} else {
$("#payselected").prop("disabled",true);
}
}
$(document).ready(function(){
$('#pay-fines-form').preventDoubleFormSubmit();
$("#woall").click(function(event){
var msg = _("Are you sure you want to write off %s in outstanding fines? This cannot be undone!").format( "[% total | $Price %]" );
var answer = confirm(msg);
if (!answer){
event.preventDefault();
}
});
$('#CheckAll').click(function(){
$("#finest").checkCheckboxes();
enableCheckboxActions();
return false;
});
$('#CheckNone').click(function(){
$("#finest").unCheckCheckboxes();
enableCheckboxActions();
return false;
});
$(".cb").change(function(){
enableCheckboxActions();
});
enableCheckboxActions();
});
//]]>
</script>
</head>
<body id="pat_pay" class="pat">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'patron-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a> &rsaquo; Pay fines for [% borrower.firstname |html %] [% borrower.surname |html %]</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% INCLUDE 'members-toolbar.inc' borrowernumber=borrower.borrowernumber %]
<!-- The manual invoice and credit buttons -->
<div class="statictabs">
<ul>
<li><a href="/cgi-bin/koha/members/boraccount.pl?borrowernumber=[% borrower.borrowernumber %]">Account</a></li>
<li class="active"><a href="/cgi-bin/koha/members/pay.pl?borrowernumber=[% borrower.borrowernumber %]" >Pay fines</a></li>
<li><a href="/cgi-bin/koha/members/maninvoice.pl?borrowernumber=[% borrower.borrowernumber %]" >Create manual invoice</a></li>
<li><a href="/cgi-bin/koha/members/mancredit.pl?borrowernumber=[% borrower.borrowernumber %]" >Create manual credit</a></li>
</ul>
<div class="tabs-container">
[% IF ( accounts ) %]
<form action="/cgi-bin/koha/members/pay.pl" method="post" id="pay-fines-form">
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
<p><span class="checkall"><a id="CheckAll" href="#"><i class="fa fa-check"></i> Select all</a></span> | <span class="clearall"><a id="CheckNone" href="#"><i class="fa fa-remove"></i> Clear all</a></span></p>
<table id="finest">
<thead>
<tr>
<th>&nbsp;</th>
<th>Fines &amp; charges</th>
<th>Description</th>
<th>Payment note</th>
<th>Account type</th>
<th>Amount</th>
<th>Amount outstanding</th>
</tr>
</thead>
<tfoot>
<tr>
<td class="total" colspan="6">Total due:</td>
<td style="text-align: right;">[% total | $Price %]</td>
</tr>
</tfoot>
<tbody>
[% FOREACH line IN accounts %]
<tr>
<td>
[% IF ( line.amountoutstanding > 0 ) %]
<input class="cb" type="checkbox" checked="checked" name="incl_par_[% line.accountlines_id %]" />
[% END %]
</td>
<td>
[% IF ( line.amountoutstanding > 0 ) %]
<input type="submit" name="pay_indiv_[% line.accountlines_id %]" value="Pay" />
[% IF CAN_user_updatecharges_writeoff %]<input type="submit" name="wo_indiv_[% line.accountlines_id %]" value="Write off" />[% END %]
[% END %]
<input type="hidden" name="itemnumber[% line.accountlines_id %]" value="[% line.itemnumber %]" />
<input type="hidden" name="description[% line.accountlines_id %]" value="[% line.description %]" />
<input type="hidden" name="accounttype[% line.accountlines_id %]" value="[% line.accounttype %]" />
<input type="hidden" name="amount[% line.accountlines_id %]" value="[% line.amount %]" />
<input type="hidden" name="accountlines_id[% line.accountlines_id %]" value="[% line.accountlines_id %]" />
<input type="hidden" name="amountoutstanding[% line.accountlines_id %]" value="[% line.amountoutstanding %]" />
<input type="hidden" name="borrowernumber[% line.accountlines_id %]" value="[% line.borrowernumber %]" />
</td>
<td>
[% SWITCH line.accounttype %]
[% CASE 'Pay' %]Payment, thanks
[% CASE 'Pay00' %]Payment, thanks (cash via SIP2)
[% CASE 'Pay01' %]Payment, thanks (VISA via SIP2)
[% CASE 'Pay02' %]Payment, thanks (credit card via SIP2)
[% CASE 'N' %]New card
[% CASE 'F' %]Fine
[% CASE 'A' %]Account management fee
[% CASE 'M' %]Sundry
[% CASE 'L' %]Lost item
[% CASE 'W' %]Writeoff
[% CASE 'FU' %]Accruing fine
[% CASE 'HE' %]Hold waiting too long
[% CASE 'Rent' %]Rental fee
[% CASE 'FOR' %]Forgiven
[% CASE 'LR' %]Lost item fee refund
[% CASE 'PF' %]Processing fee
[% CASE 'PAY' %]Payment
[% CASE 'WO' %]Writeoff
[% CASE 'C' %]Credit
[% CASE 'CR' %]Credit
[% CASE %][% line.accounttype %]
[%- END -%]
[%- IF line.description %], [% line.description %][% END %]
[% IF line.title %]([% line.title %])[% END %]
</td>
<td><input type="text" name="payment_note_[% line.accountlines_id %]" /></td>
<td>[% line.accounttype %]</td>
<td class="debit" style="text-align: right;">[% line.amount | $Price %]</td>
<td class="debit" style="text-align: right;">[% line.amountoutstanding | $Price %]</td>
</tr>
[% END %]
[% IF ( account_grp.total ) %]
<tr>
<td class="total" colspan="8" style="text-align: right;">Sub total:</td>
<td style="text-align: right;">[% account_grp.total | $Price %]</td>
</tr>
[% END %]
</tbody>
</table>
<fieldset class="action">
<input type="submit" id="paycollect" name="paycollect" value="Pay amount" class="submit" />
[% IF CAN_user_updatecharges_writeoff %]<input type="submit" name="woall" id="woall" value="Write off all" class="submit" />[% END %]
<input type="submit" id="payselected" name="payselected" value="Pay selected" class="submit" />
<a class="cancel" href="/cgi-bin/koha/members/boraccount.pl?borrowernumber=[% borrower.borrowernumber %]">Cancel</a>
</fieldset>
</form>
[% ELSE %]
<p>[% borrower.firstname |html %] [% borrower.surname |html %] has no outstanding fines.</p>
[% END %]
</div></div>
</div>
</div>
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]
View git blame Copy permalink