Bug 26592: [20.05] Prevent XSS vulnerabilities when circ/ysearch.pl is used

[koha.git] / koha-tmpl / intranet-tmpl / prog / en / modules / reports / dictionary.tt

[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Reports &rsaquo; Guided reports &rsaquo; Dictionary</title>
[% INCLUDE 'doc-head-close.inc' %]
<style>fieldset.rows table { clear: none; margin: 0;}</style>
</head>

<body id="rep_dictionary" class="rep">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'circ-search.inc' %]

[%- BLOCK area_name -%]
    [%- SWITCH area -%]
        [%- CASE 'CIRC' -%]Circulation
        [%- CASE 'CAT'  -%]Catalog
        [%- CASE 'PAT'  -%]Patrons
        [%- CASE 'ACQ'  -%]Acquisitions
        [%- CASE 'ACC'  -%]Accounts
        [%- CASE 'SER'  -%]Serials
    [%- END -%]
[%- END -%]

<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/reports/reports-home.pl">Reports</a> &rsaquo; <a href="/cgi-bin/koha/reports/guided_reports.pl">Guided reports wizard</a>
[% IF ( new_dictionary ) %] &rsaquo; <a href="/cgi-bin/koha/reports/dictionary.pl">Dictionary</a> &rsaquo; <strong>Name the new definition</strong>
[% ELSIF ( step_2 ) %] &rsaquo; <a href="/cgi-bin/koha/reports/dictionary.pl">Dictionary</a> &rsaquo; <strong>Step 2: Choose the area </strong> 
[% ELSIF ( step_3 ) %] &rsaquo; <a href="/cgi-bin/koha/reports/dictionary.pl">Dictionary</a> &rsaquo; <strong>Step 3: Choose a column </strong>
[% ELSIF ( step_4 ) %] &rsaquo; <a href="/cgi-bin/koha/reports/dictionary.pl">Dictionary</a> &rsaquo; <strong>Step 4: Specify a value </strong> 
[% ELSIF ( step_5 ) %] &rsaquo; <a href="/cgi-bin/koha/reports/dictionary.pl">Dictionary</a> &rsaquo; <strong>Step 5: Confirm definition</strong> 
[% ELSE %] &rsaquo; <strong> Dictionary </strong>[% END %]</div>

<div class="main container-fluid">
    <div class="row">
        <div class="col-sm-10 col-sm-push-2">
            <main>

[% IF ( start_dictionary ) %]
    <div id="toolbar">
        <a id="newdictionary" class="btn btn-default" href="/cgi-bin/koha/reports/dictionary.pl?phase=Add%20New%20Definition"><i class="fa fa-plus"></i> New definition</a>
    </div>
[% END %]
<h1>Dictionary</h1>
[% IF ( start_dictionary ) %]
        <p>Use the dictionary to define custom criteria for reporting.</p>

                [% IF ( definitions ) %]
        <h2>Current terms</h2>
                <form action="/cgi-bin/koha/reports/dictionary.pl" method="post">
        <input type="hidden" name="phase" value="View Dictionary" />
  [% IF ( areas ) %]
        Filter by area
        <select name="area">
          <option value="">All</option>
        [% FOREACH area IN areas %]
          [%- IF ( area.selected ) -%]
          <option value="[% area.id | html %]" selected="selected">[%- PROCESS area_name area=area.id -%]</option>
          [%- ELSE -%]
          <option value="[% area.id | html %]">[%- PROCESS area_name area=area.id -%]</option>
          [%- END -%]
        [% END %]
        </select>
      <input name="submit" value="Go" type="submit" />
  [% END %]
      </form>
      <br />
        <table>
            <tr>
                <th>Name</th>
                <th>Description</th>
                <th>Area</th>
                <th>Definition</th>
                <th>Action</th>
            </tr>
            [% FOREACH definition IN definitions %]
            <tr>
                <td>[% definition.name | html %]</td>
                <td>[% definition.description | html %]</td>
                <td>[% definition.areaname | html %]</td>
                <td>[% definition.saved_sql | html %]</td>
                <td class="actions"><form method="post" action="/cgi-bin/koha/reports/dictionary.pl">
                    <input type="hidden" name="id" value="[% definition.id | html %]" />
                    <input type="hidden" name="phase" value="Delete Definition" />
                    <button type="submit" name="submit" class="btn btn-default btn-xs" id="delete"><i class="fa fa-trash"></i> Delete</button>
                </form></td>
            </tr>
            [% END %]
        </table>
                [% ELSE %]
                <div class="dialog message">There are no saved definitions. <a id="newdictionary" href="/cgi-bin/koha/reports/dictionary.pl?phase=Add%20New%20Definition">Add a definition to the dictionary.</a></div>
                [% END %]
[% END %]

[% IF ( new_dictionary ) %]
<h3>Add new definition</h3>
<form action="/cgi-bin/koha/reports/dictionary.pl" method="post">
<fieldset class="rows"><legend>Step 1 of 5: Name the new definition</legend><ol>
<li>
<label for="definition_name">Definition name:</label>
<input type="text" id="definition_name" name="definition_name" />
</li>
<li>
<label for="definition_description">Definition description:</label>
<textarea name="definition_description" id="definition_description" rows="3" cols="20"></textarea>
</li>
</ol></fieldset>

<fieldset class="action"><input type="hidden" name="phase" value="New Term step 2" />
<input name="submit" value="Next" type="submit" /></fieldset>
</form>
[% END %]

[%- IF ( step_2 ) -%]
<h3>Add new definition</h3>
<form action="/cgi-bin/koha/reports/dictionary.pl" method="post">
  <fieldset class="rows">
    <legend>Step 2 of 5: Choose the area</legend>
    <ol>
      <li>
        <input type="hidden" name="phase" value="New Term step 3" />
        <input type="hidden" name="definition_name" value="[% definition_name | html %]" />
        <input type="hidden" name="definition_description" value="[% definition_description | html %]" />
        <label for="area">Select table:</label><select name="area" id="area">
      [%- FOREACH area IN areas -%]
        <option value="[%- area.id | html -%]">[%- PROCESS area_name area=area.id -%]</option>
      [%- END -%]
        </select>
      </li>
    </ol>
  </fieldset>
  <fieldset class="action"><input name="submit" value="Next" type="submit" /></fieldset>
</form>
[%- END -%]

[% IF ( step_3 ) %]
<h3>Add new definition</h3>
<form action="/cgi-bin/koha/reports/dictionary.pl" method="post">      
<fieldset class="rows">
<legend>Step 3 of 5: Choose a column</legend>
<input type="hidden" name="area" value="[% area | html %]" />
<input type="hidden" name="definition_name" value="[% definition_name | html %]" />
<input type="hidden" name="definition_description" value="[% definition_description | html %]" />

<select id="availableColumns" name="columns" size="25" style="width:200px;height:300px;margin:1em;">
[% FOREACH column IN columns %]
[% IF ( column.table ) %]
[% IF ( loop.first ) %]                              
[% ELSE %]               
</optgroup>        
[% END %]                                                         

<optgroup label="[% column.table | html %]">              
[% ELSE %]               
<option value="[% column.name | html %]">
[% IF ( column.description ) %][% column.description | html %]    
[% ELSE %]               
[% column.name | html %]                          
[% END %]              
</option>      
[% END %]              
[% END %]                
</optgroup>
</select>

<input type="hidden" name="phase" value="New Term step 4" />
</fieldset>
<fieldset class="action"><input type="submit" name="submit" value="Next" /></fieldset>
</form>
[% END %]

[% IF ( step_4 ) %]
<h3>Add new definition</h3>
<form action="/cgi-bin/koha/reports/dictionary.pl" method="post">
<fieldset class="rows">
<legend>Step 4 of 5: Specify a value</legend>
<input type="hidden" name="area" value="[% area | html %]" />
<input type="hidden" name="definition_name" value="[% definition_name | html %]" />
<input type="hidden" name="definition_description" value="[% definition_description | html %]" />
<input type="hidden" name="columnstring" value="[% columnstring | html %]" />

[% FOREACH column IN columns %]
<input type="hidden" name="criteria_column" value="[% column.name | html %]" />
<ol><li><span class="label">Column: </span> [% column.name | html %]</li>
[% IF ( column.distinct ) %]
    <li><label for="[% column.name | html %]_value">Choose: </label> <select id="[% column.name | html %]_value" name="[% column.name | html %]_value">
        [% FOREACH value IN column.values %]
            <option value="[% value.availablevalues | html %]">[% value.availablevalues | html %]</option>
        [% END %]
    </select></li>
[% END %]
[% IF ( column.date ) %]
    <li class="radio">
        <label for="all_dates">All dates</label>
        <input type="radio" id="all_dates" name="[% column.name | html %]_date_type_value" value="all" checked="checked" />
        <label for="date_range">Date range</label>
        <input type="radio" id="date_range" name="[% column.name | html %]_date_type_value" value="range" />
    </li>
    <li class="radio">
        Start of date range
        <input type="text" size="10" id="from" name="[% column.name | html %]_start_value" value="" class="datepickerfrom" />
        <div class="hint">[% INCLUDE 'date-format.inc' %]</div>
        End of date range
        <input type="text" size="10" id="to" name="[% column.name | html %]_end_value" value="" class="datepickerto" />
        <div class="hint">[% INCLUDE 'date-format.inc' %]</div>
    </li>
[% END %]
[% IF ( column.text ) %]
        <li><label for="[% column.name | html %]_value">Search string matches: </label> <input type="text" size="13" name="[% column.name | html %]_value" /></li>
[% END %]

[% END %]
</ol>
<input type="hidden" name="phase" value="New Term step 5" />
</fieldset>
<fieldset class="action">
<input type="submit" name="submit" value="Next" />
</fieldset>
</form>
[% END %]

[% IF ( step_5 ) %]
<form action="/cgi-bin/koha/reports/dictionary.pl" method="post">
<input type="hidden" name="area" value="[% area | html %]" />
<input type="hidden" name="definition_name" value="[% definition_name | html %]" />
<input type="hidden" name="definition_description" value="[% definition_description | html %]" />
<input type="hidden" name="columnstring" value="[% columnstring | html %]" />

<h3>Add new definition</h3>

<fieldset class="rows">
  <legend>Step 5 of 5: Confirm details</legend>
  <ol>
    <li>
      <span class="label">Name:</span>[%- definition_name | html -%]
    </li>
    <li>
      <span class="label">Description:</span>[%- definition_description | html -%]
    </li>
    <li>
      <span class="label">Area:</span>[%- PROCESS area_name area=area -%]
    </li>
    <li>
      <span class="label">Data:</span>
      <table>
        <tr>
          <th>Columns</th>
          <th>Values</th>
        </tr>
      [%- FOREACH criteria_loo IN criteria_loop -%]
        <tr>
          <td>[%- criteria_loo.name | html -%]</td>
          <td>[%- criteria_loo.value | html -%]</td>
        </tr>
      [%- END -%]
      </table>
    </li>
  </ol>
</fieldset>

<fieldset class="action"><input type="hidden" name="sql" value="[% query | html %]" />
<input type="hidden" name="phase" value="New Term step 6" />
<input type="submit" name="submit" value="Save" />         </fieldset>

</form>
[% END %]

            </main>
        </div> <!-- /.col-sm-10.col-sm-push-2 -->

        <div class="col-sm-2 col-sm-pull-10">
            <aside>
                [% INCLUDE 'guided-reports-view.inc' %]
            </aside>
        </div> <!-- /.col-sm-2.col-sm-pull-10 -->
     </div> <!-- /.row -->

[% MACRO jsinclude BLOCK %]
    [% INCLUDE 'calendar.inc' %]
    <script>
        var MSG_CONFIRM_DELETE = _("Are you sure you want to delete this dictionary definition? This cannot be undone.");

        $(document).ready(function() {
            $("#delete").on("click",function(){
                return confirmDelete(MSG_CONFIRM_DELETE);
            });

            $("#date_range").change(function(){
                $("input#from").parents('li').show();
            });
            $("#all_dates").change(function(){
                $("input#from").parents('li').hide();
            });
            $("#all_dates").click().change();
        });
    </script>
[% END %]

[% INCLUDE 'intranet-bottom.inc' %]