Bug 19086: Fix Stored XSS in members/member.pl

[koha-ffzg.git] / koha-tmpl / intranet-tmpl / prog / en / modules / members / member.tt

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt
index 0ee110b..73598d8 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt
@@ -37,7 +37,6 @@ $(document).ready(function() {
         }
     });
 
-    $("#patron_list_dialog").hide();
     $("#add_to_patron_list_submit").on('click', function(e){
         if ( $('#add_to_patron_list').val() == 'new' ) {
             if ( $('#new_patron_list').val() ) {
@@ -109,13 +108,14 @@ $(document).ready(function() {
         e.preventDefault();
         clearFilters(true);
     });
+    $("#searchform").on("submit", filter);
 });
 
 var dtMemberResults;
 var search = 1;
 $(document).ready(function() {
     [% IF searchmember %]
-        $("#searchmember_filter").val("[% searchmember %]");
+        $("#searchmember_filter").val("[% searchmember | html %]");
     [% END %]
     [% IF searchfieldstype %]
         $("searchfieldstype_filter").val("[% searchfieldstype %]");
@@ -131,8 +131,9 @@ $(document).ready(function() {
     [% END %]
 
     [% IF view != "show_results" %]
-        $("#searchresults").hide();
         search = 0;
+    [% ELSE %]
+        $("#searchresults").show();
     [% END %]
 
     // Build the aLengthMenu
@@ -161,6 +162,10 @@ $(document).ready(function() {
 
     // Apply DataTables on the results table
     var columns_settings = [% ColumnsSettings.GetColumns( 'members', 'member', 'memberresultst', 'json' ) %];
+    [% UNLESS CAN_user_tools_manage_patron_lists %]
+        [%# Remove the first column if we do not display the checkbox %]
+        columns_settings.splice(0, 1);
+    [% END %]
     dtMemberResults = KohaTable("#memberresultst", {
         'bServerSide': true,
         'sAjaxSource': "/cgi-bin/koha/svc/members/search",
@@ -346,13 +351,13 @@ function filterByFirstLetterSurname(letter) {
           [% IF ( CAN_user_borrowers && pending_borrower_modifications ) %]
             <div class="pending-info" id="patron_updates_pending">
               <a href="/cgi-bin/koha/members/members-update.pl">Patrons requesting modifications</a>:
-              <span class="holdcount"><a href="/cgi-bin/koha/members/members-update.pl">[% pending_borrower_modifications %]</a></span>
+              <span class="number_box"><a href="/cgi-bin/koha/members/members-update.pl">[% pending_borrower_modifications %]</a></span>
             </div>
           [% END %]
 
           <div id="searchresults">
             <div id="searchheader">
-              <h3>Patrons found for: <span id="searchpattern">[% IF searchmember %] for '[% searchmember %]'[% END %]</span></h3>
+              <h3>Patrons found for: <span id="searchpattern">[% IF searchmember %] for '[% searchmember | html %]'[% END %]</span></h3>
             </div>
             [% IF CAN_user_tools_manage_patron_lists %]
               <div id="searchheader">
@@ -409,7 +414,7 @@ function filterByFirstLetterSurname(letter) {
       </div>
     </div>
     <div class="yui-b">
-      <form onsubmit="return filter();" id="searchform">
+      <form method="get" id="searchform">
         <input type="hidden" id="firstletter_filter" value="" />
         <fieldset class="brief">
           <h3>Filters</h3>
@@ -506,13 +511,7 @@ function filterByFirstLetterSurname(letter) {
                 [% IF branches.size != 1 %]
                   <option value="">Any</option>
                 [% END %]
-                [% FOREACH b IN branches %]
-                  [% IF b.selected %]
-                    <option selected="selected" value="[% b.branchcode %]">[% b.branchname %]</option>
-                  [% ELSE %]
-                    <option value="[% b.branchcode %]">[% b.branchname %]</option>
-                  [% END %]
-                [% END %]
+                [% PROCESS options_for_libraries libraries => branches %]
               </select>
             </li>
           </ol>