Bug 19614: Fix XSS in members/pay.pl

[koha.git] / koha-tmpl / intranet-tmpl / prog / en / modules / members / pay.tt

[% USE Koha %]
[% USE AuthorisedValues %]
[% USE Branches %]
[% USE Price %]
[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patrons &rsaquo; Pay Fines for  [% borrower.firstname |html %] [% borrower.surname |html %]</title>
[% INCLUDE 'doc-head-close.inc' %]
<script type="text/javascript" src="[% interface %]/lib/jquery/plugins/jquery.checkboxes.min.js"></script>
<script type= "text/javascript">
//<![CDATA[
function enableCheckboxActions(){
    // Enable/disable controls if checkboxes are checked
    var checkedBoxes = $("input.cb:checked");
    if ($(checkedBoxes).size()) {
      $("#payselected").prop("disabled",false);
    } else {
      $("#payselected").prop("disabled",true);
    }
}
    $(document).ready(function(){
 $('#pay-fines-form').preventDoubleFormSubmit();
        $("#woall").click(function(event){
            var msg = _("Are you sure you want to write off %s in outstanding fines? This cannot be undone!").format( "[% total | $Price %]" );
            var answer = confirm(msg);
                if (!answer){
                    event.preventDefault();
                }
        });
        $('#CheckAll').click(function(){
            $("#finest").checkCheckboxes();
            enableCheckboxActions();
            return false;
        });
        $('#CheckNone').click(function(){
            $("#finest").unCheckCheckboxes();
            enableCheckboxActions();
            return false;
        });
        $(".cb").change(function(){
            enableCheckboxActions();
        });
        enableCheckboxActions();
    });
//]]>
</script>
</head>
<body id="pat_pay" class="pat">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'patron-search.inc' %]

<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a>  &rsaquo; Pay fines for [% borrower.firstname |html %] [% borrower.surname |html %]</div>

<div id="doc3" class="yui-t2">
   
   <div id="bd">
        <div id="yui-main">
        <div class="yui-b">
[% INCLUDE 'members-toolbar.inc' borrowernumber=borrower.borrowernumber %]

<!-- The manual invoice and credit buttons -->
<div class="statictabs">
<ul>
        <li><a href="/cgi-bin/koha/members/boraccount.pl?borrowernumber=[% borrower.borrowernumber %]">Account</a></li>
    <li class="active"><a href="/cgi-bin/koha/members/pay.pl?borrowernumber=[% borrower.borrowernumber %]" >Pay fines</a></li>
        <li><a href="/cgi-bin/koha/members/maninvoice.pl?borrowernumber=[% borrower.borrowernumber %]" >Create manual invoice</a></li>
        <li><a href="/cgi-bin/koha/members/mancredit.pl?borrowernumber=[% borrower.borrowernumber %]" >Create manual credit</a></li>
</ul>
<div class="tabs-container">

[% IF ( accounts ) %]
    <form action="/cgi-bin/koha/members/pay.pl" method="post" id="pay-fines-form">
        <input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrower.borrowernumber %]" />
<p><span class="checkall"><a id="CheckAll" href="#"><i class="fa fa-check"></i> Select all</a></span> | <span class="clearall"><a id="CheckNone" href="#"><i class="fa fa-remove"></i> Clear all</a></span></p>
<table id="finest">
<thead>
<tr>
    <th>&nbsp;</th>
    <th>Fines &amp; charges</th>
    <th>Description</th>
    <th>Payment note</th>
    <th>Account type</th>
    <th>Notify id</th>
    <th>Level</th>
    <th>Amount</th>
    <th>Amount outstanding</th>
</tr>
</thead>
<tfoot>
<tr>
    <td class="total" colspan="8">Total due:</td>
    <td style="text-align: right;">[% total | $Price %]</td>
</tr>
</tfoot>
<tbody>
[% FOREACH account_grp IN accounts %]
    [% FOREACH line IN account_grp.accountlines %]
<tr>
    <td>
    [% IF ( line.amountoutstanding > 0 ) %]
        <input class="cb" type="checkbox" checked="checked" name="incl_par_[% line.accountlines_id %]" />
    [% END %]
    </td>
    <td>
    [% IF ( line.amountoutstanding > 0 ) %]
        <input type="submit" name="pay_indiv_[% line.accountlines_id %]" value="Pay" />
        [% IF CAN_user_updatecharges_writeoff %]<input type="submit" name="wo_indiv_[% line.accountlines_id %]" value="Write off" />[% END %]
    [% END %]
    <input type="hidden" name="itemnumber[% line.accountlines_id %]" value="[% line.itemnumber %]" />
    <input type="hidden" name="description[% line.accountlines_id %]" value="[% line.description %]" />
    <input type="hidden" name="accounttype[% line.accountlines_id %]" value="[% line.accounttype %]" />
    <input type="hidden" name="amount[% line.accountlines_id %]" value="[% line.amount %]" />
    <input type="hidden" name="accountlines_id[% line.accountlines_id %]" value="[% line.accountlines_id %]" />
    <input type="hidden" name="amountoutstanding[% line.accountlines_id %]" value="[% line.amountoutstanding %]" />
    <input type="hidden" name="borrowernumber[% line.accountlines_id %]" value="[% line.borrowernumber %]" />
    <input type="hidden" name="notify_id[% line.accountlines_id %]" value="[% line.notify_id %]" />
    <input type="hidden" name="notify_level[% line.accountlines_id %]" value="[% line.notify_level %]" />
    <input type="hidden" name="totals[% line.accountlines_id %]" value="[% line.totals %]" />
    </td>
    <td>
        [% SWITCH line.accounttype %]
          [% CASE 'Pay' %]Payment, thanks
          [% CASE 'Pay00' %]Payment, thanks (cash via SIP2)
          [% CASE 'Pay01' %]Payment, thanks (VISA via SIP2)
          [% CASE 'Pay02' %]Payment, thanks (credit card via SIP2)
          [% CASE 'N' %]New card
          [% CASE 'F' %]Fine
          [% CASE 'A' %]Account management fee
          [% CASE 'M' %]Sundry
          [% CASE 'L' %]Lost item
          [% CASE 'W' %]Writeoff
          [% CASE 'FU' %]Accruing fine
          [% CASE 'HE' %]Hold waiting too long
          [% CASE 'Rent' %]Rental fee
          [% CASE 'FOR' %]Forgiven
          [% CASE 'LR' %]Lost item fee refund
          [% CASE 'PAY' %]Payment
          [% CASE 'WO' %]Writeoff
          [% CASE 'C' %]Credit
          [% CASE 'CR' %]Credit
          [% CASE %][% line.accounttype %]
        [%- END -%]
        [%- IF line.description %], [% line.description %][% END %]
        [% IF line.title %]([% line.title %])[% END %]
    </td>
    <td><input type="text" name="payment_note_[% line.accountlines_id %]" /></td>
    <td>[% line.accounttype %]</td>
    <td>[% line.notify_id %]</td>
    <td>[% line.notify_level %]</td>
    <td class="debit" style="text-align: right;">[% line.amount | $Price %]</td>
    <td class="debit" style="text-align: right;">[% line.amountoutstanding | $Price %]</td>
</tr>
[% END %]
[% IF ( account_grp.total ) %]
<tr>

    <td class="total" colspan="8" style="text-align: right;">Sub total:</td>
    <td style="text-align: right;">[% account_grp.total | $Price %]</td>
</tr>
[% END %]
[% END %]
</tbody>
</table>
<fieldset class="action">
<input type="submit" id="paycollect" name="paycollect"  value="Pay amount" class="submit" />
[% IF CAN_user_updatecharges_writeoff %]<input type="submit" name="woall"  id="woall" value="Write off all" class="submit" />[% END %]
<input type="submit" id="payselected" name="payselected"  value="Pay selected" class="submit" />
<a class="cancel" href="/cgi-bin/koha/members/boraccount.pl?borrowernumber=[% borrower.borrowernumber %]">Cancel</a>
</fieldset>
</form>
[% ELSE %]
    <p>[% borrower.firstname |html %] [% borrower.surname |html %] has no outstanding fines.</p>
[% END %]
</div></div>

</div>
</div>
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]