LP#1822630: further sanitizing of CGI params when embedded in HTML
[working/Evergreen.git] / Open-ILS / src / templates / opac / parts / place_hold.tt2
1 [%  PROCESS "opac/parts/misc_util.tt2";
2     PROCESS "opac/parts/hold_error_messages.tt2";
3     PROCESS "opac/parts/metarecord_hold_filters.tt2";
4 %]
5 <script>
6 // Toggle the activation date input and check the suspend checkbox.
7 // If JavaScript is disabled, the CSS will handle the former, but
8 // the latter will not happen.
9 function toggleActivationDate() {
10     var cb = document.getElementById("hold_suspend");
11     var block = document.getElementById("toggled-block-suspend");
12     var anchor = document.getElementById("actDateToggle");
13     var actText = "[%- l('Hide activation date') -%]";
14     var inActText = "[%- l('Set activation date') -%]";
15     // Check for not equal to block so it works on first click.
16     if (block.style.display != "block") {
17         block.style.display = "block";
18         anchor.innerHTML = actText;
19         if (cb.checked != true) cb.checked = true;
20     } else {
21         block.style.display = "none";
22         anchor.innerHTML = inActText;
23     }
24     // Prevent the href from being followed, thus overriding the CSS.
25     return false;
26 }
27
28 // Maybe enable or disable the num_copies select when the user selects
29 // or deselects a part.
30 function maybeToggleNumCopies(obj) {
31     var numCopies = document.getElementById("num_copies");
32     // Only if numCopies exists.
33     if (numCopies) {
34         var objValue;
35         if (obj.type == 'radio') {
36             if (obj.checked) objValue = obj.value;
37             else return;
38         } else {
39             objValue = obj.value;
40         }
41         if (objValue && objValue != '') {
42             if (numCopies.value != '1') numCopies.value = '1';
43             if (!numCopies.disabled) numCopies.disabled = true;
44         } else {
45             if (numCopies.disabled) numCopies.disabled = false;
46         }
47     }
48 }
49 </script>
50 <div id='holds_box' class='canvas' style='margin-top: 6px;'>
51     <h1>[% l('Place Hold') %]</h1>
52
53     [% some_holds_allowed = -1 %]
54
55     <!-- loop through the holds and display status of request where appropriate -->
56         [% FOR hdata IN ctx.hold_data;
57             attrs = {marc_xml => hdata.marc_xml};
58             PROCESS get_marc_attrs args=attrs;
59             this_hold_disallowed = 0;
60
61             IF CGI.param('hold_type') == 'M';
62               IF hdata.metarecord_filters.formats.size == 0;
63                 this_hold_disallowed = 1;
64                 # if this is the first hold and it's disallowed,
65                 # assume all holds are, until we proven otherwise
66                 SET some_holds_allowed = 0 IF some_holds_allowed == -1;
67               ELSE; some_holds_allowed = 1; END;
68             END %]
69      
70       [% IF loop.first %] 
71     <form method="post" name="PlaceHold" onsubmit="return validateHoldForm()" >
72         <input type="hidden" name="hold_type" value="[% CGI.param('hold_type') | html %]" />
73         [%  
74             redirect = CGI.param('hold_source_page') || CGI.param('redirect_to') || CGI.referer;
75             # since we have to be logged in to get this far, return to a secure page
76             redirect = redirect.replace('^http:', 'https:') 
77         %]
78         <input type="hidden" name="redirect_to" value="[% redirect | html %]" />
79         <input type="hidden" name="hold_source_page" value="[% CGI.param('hold_source_page') | html %]" />
80
81         <!-- Adding hidden fields so that parameters are maintained in
82         searchbar throughout the place hold process. -->
83         <input type="hidden" name="locg" value="[% CGI.param('locg') | html %]" />
84         <input type="hidden" name="qtype" value="[% CGI.param('qtype') | html %]" />
85         <input type="hidden" name="query" value="[% CGI.param('query') | html %]" />
86         [%
87             usr_barcode = CGI.param('usr_barcode') | html;
88             is_requestor = CGI.param('is_requestor');
89
90            IF is_requestor == '';
91                is_requestor = '0';
92            END;
93
94            IF is_requestor == '0' && usr_barcode == ctx.staff_recipient.card.barcode;
95                usr_barcode = '';
96            END;
97         %]
98
99         [% IF ctx.is_staff %]
100         <p class="staff-hold">
101             <input type="radio" id="hold_usr_is_requestor_not"
102                 onchange="staff_hold_usr_input_disabler(this);"
103                 name="hold_usr_is_requestor" value="0"
104                 />
105             <label for="hold_usr_is_requestor_not">
106                 [% l("Place hold for patron by barcode:") %]
107             </label>
108             <input type="text" name="hold_usr" id="hold_usr_input"
109               aria-label="[% l('Barcode') %]"
110               value="[% usr_barcode | html %]" 
111               onchange="staff_hold_usr_barcode_changed();" 
112               onpaste="setTimeout(staff_hold_usr_barcode_changed,1);" 
113               onkeypress="return no_hold_submit(event)" autofocus /> 
114             <span id="patron_name"></span>
115             <span id="patron_usr_barcode_not_found" style="display: none">
116               [% l('Patron barcode was not found') %]
117             </span>
118             [% IF ctx.is_browser_staff %]
119             <button id="hold_usr_search" type="button" class="opac-button" style="display: none;">[% l('Patron Search') %]</button>
120             [% END %]
121             <br />
122             <input type="hidden" id="staff_barcode" 
123               value="[% ctx.staff_recipient.card.barcode | html %]"/>
124             <span>
125                 <input type="radio" id="hold_usr_is_requestor"
126                     onchange="staff_hold_usr_input_disabler(this);"
127                     name="hold_usr_is_requestor" value="1" />
128                 <label for="hold_usr_is_requestor">
129                     [% l("Place this hold for me ([_1] [_2])", ctx.user.first_given_name, ctx.user.family_name) | html %]
130                 </label>
131             </span>
132         </p>
133         [% END %]
134       [% END %]
135
136         <table id='hold-items-list'>
137             <tr>
138                 <td>
139                     [% IF !this_hold_disallowed %]
140                     <input type="hidden" name="hold_target" value="[% hdata.target.id | html %]" />
141                     [% END %]
142                     <div class='hold-items-list-title'>
143                                             <!-- If hold is for grouped formats/editions (metarecord), show short title - else, show complete title --> 
144                                             [% IF CGI.param('hold_type') == 'M' %]
145                                                     [% attrs.title | html %]
146                                                 [% ELSE %]
147                                                     [% attrs.title_extended | html %]
148                                                 [% END %]
149                     </div>
150                     [% IF hdata.parts AND !this_hold_disallowed %]
151                         [% IF hdata.parts.size > 0 %]
152                         <div class='hold-div'>
153                             [% IF enable.radio.parts == 'true' %]
154                                 <span class='hold-span'><label for='select_hold_part'>[%
155                                l('Select a Part:')
156                                %]</label></span>
157                              <div class='radio-parts-selection'>
158                              [% IF !hdata.part_required %]
159                                 <span class='parts-radio-option'>
160                                  <input type='radio' name='part' value='' onchange='maybeToggleNumCopies(this);' required>[% l('All Parts') %]</span>
161                               [% END %]
162                                [% FOR part IN hdata.parts %]
163                                  <span class='parts-radio-option'><input type='radio' name='part' id=[% part.id %] value=[% part.id %] onchange='maybeToggleNumCopies(this);' required>
164                                   <label for=[% part.id %]>[% part.label | html %]</label></span>
165                               [% END %]
166                               </div>
167                           [% ELSE %]
168                             <span style='font-weight: bold;'><label for='select_hold_part'>[%
169                                 hdata.part_required ? l('Select a Part:') : l('Select a Part (optional):')
170                             %]</label></span>
171                             <select id='select_hold_part' name='part' onchange='maybeToggleNumCopies(this);'>
172                                 [% IF !hdata.part_required %]
173                                 <option selected='selected' value=''>[% l('- All Parts -') %]</option>
174                                 [% END %]
175                                 [% FOR part IN hdata.parts %]
176                                 <option value='[% part.id %]'>[% part.label | html %]</option>
177                                 [% END %]
178                             </select>
179                           [% END %]
180                         </div>
181                         [% ELSE %]
182                         <input type='hidden' name='part' value=''/>
183                         [% END %]
184                     [% END %]
185                     [% INCLUDE "opac/parts/multi_hold_select.tt2" IF NOT (this_hold_disallowed AND hdata.part_required); %]
186                     [% IF NOT metarecords.disabled AND ctx.hold_data.size == 1 %]
187                         [% IF CGI.param('hold_type') == 'T' AND hdata.record.metarecord AND !hdata.part_required %]
188                         <!-- Grab the bre_id so that we can restore it if user accidentally clicks advanced options -->
189                            [% bre_id = hdata.target.id %]
190                             <a  id='advanced_hold_link'
191                                 href="[% mkurl('', {hold_type => 'M', hold_target => hdata.record.metarecord.id, bre_id => bre_id}) %]">
192                                 [% l('Advanced Hold Options') %]</a>
193                         [% END %]
194                         [% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %]
195                             <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') | html %]" />
196                             <a id='basic_hold_link'
197                                href="[% mkurl('', {hold_target => CGI.param('bre_id'), hold_type => 'T'}) %]">
198                                 [% l('Basic Hold Options') %]</a>
199                         [% END %]
200                         [% IF hdata.metarecord_filters.formats.size OR # should this be size > 1
201                             (hdata.metarecord_filters.langs.size && hdata.metarecord_filters.langs.size > 1);
202                             PROCESS metarecord_hold_filters_selector hold_data=hdata;
203                         END;
204                     END %]
205                 </td>
206             </tr>
207
208             [% IF this_hold_disallowed %]
209               <tr><td>
210                 <div class="mr_holds_no_formats">
211                 [% l('This item does not have any formats available for holds placement') %]
212                 </div>
213               </td></tr>
214             [% END %]
215
216             [%  IF !loop.last AND ctx.hold_data.size > 1 %]
217             <tr class="holds_item_row_separator"><td> </td></tr>
218             [% END %]
219
220         [% END %]
221         </table>
222
223         [% IF some_holds_allowed %]
224
225         <p>
226             [%- org_select_id = 'pickup_lib'; -%]
227             <label for="[% org_select_id %]">[%l('Pickup location:') %]</label>
228             [% PROCESS "opac/parts/org_selector.tt2";
229                 INCLUDE build_org_selector name='pickup_lib' 
230                     value=ctx.default_pickup_lib id=org_select_id 
231                     can_have_vols_only=1 hold_pickup_lib=1 %]
232         </p>
233         <p>
234             [% l('Notify when hold is ready for pickup?') %]
235             <blockquote>
236                 <input class="hold-alert-method" type="checkbox" id="email_notify" name="email_notify" value="t"
237                     [% IF !ctx.user.email %]disabled="true"[% ELSIF ctx.default_email_notify %]checked="checked"[% END %]/>
238                     <label for="email_notify">[% l('Yes, by Email') %]</label><br/>
239                 <blockquote>
240                     [% IF !ctx.user.email and !ctx.is_staff; l('No configured Email address. See "My Account" for setting your Email address.');
241                      ELSE; l('Email Address:') %] <span name="email_address">[% ctx.user.email %]</span>[% END %]
242                 </blockquote>
243                 [%- IF allow_phone_notifications == 'true' %]
244                 <input class="hold-alert-method" type="checkbox" id="phone_notify_checkbox" name="phone_notify_checkbox"
245                     [% IF ctx.default_phone_notify %]checked="checked"[% END %]/>
246                     <label for="phone_notify_checkbox">[% l('Yes, by Phone') %]</label><br/>
247                 <blockquote>
248                     <label>[% l('Phone Number:') %]<input type="text" name="phone_notify" [% setting = 'opac.default_phone';
249                     IF ctx.user_setting_map.$setting; %] value='[% ctx.user_setting_map.$setting | html %]'
250                     [%- ELSIF ctx.user.day_phone; %] value='[% ctx.user.day_phone | html %]' [% END %]/></label>
251                 </blockquote>
252                 [%- END -%]
253                 [% IF ctx.get_org_setting(ctx.search_ou, 'sms.enable') == 1 %]
254                 <input class="hold-alert-method" type="checkbox" id="sms_notify_checkbox" name="sms_notify_checkbox"
255                     [% IF ctx.default_sms_notify %]checked="checked"[% END %]/>
256                     <label for="sms_notify_checkbox">[% l('Yes, by Text Messaging') %]</label><br/>
257                 <blockquote>
258                     [% INCLUDE "opac/parts/sms_carrier_selector.tt2" %]<br/>
259                     [% INCLUDE "opac/parts/sms_number_textbox.tt2" %]<br/>
260                 </blockquote>
261                 [% END %]
262             </blockquote>
263             <blockquote>
264                 <label for="hold_suspend">
265                 [% IF ctx.hold_data.size == 1;
266                        l('Suspend this hold?');
267                    ELSE;
268                        l('Suspend these holds?');
269                    END %]
270                 </label>
271                 <img src="[% ctx.media_prefix %]/images/question-mark.png[% ctx.cache_key %]"
272                      alt="[% l('Suspend Hold Help') %]"
273                      title="[% l('A suspended hold will retain its place in the queue, but will not be fulfilled until it has been activated.') %]" />
274                 <br/>
275                 <input type="checkbox" name="hold_suspend" id="hold_suspend" value="t"/> [% l('Yes') %]
276                 <a id="actDateToggle" href="#toggled-block-suspend" onclick="return toggleActivationDate();">[% l('Set activation date') %]</a>
277             </blockquote>
278             <blockquote id="toggled-block-suspend">
279                 <label for="thaw_date">[% l('Activate on') %]</label>
280                 <input type="text" id="thaw_date" name="thaw_date" />
281                 <em>[% l('Enter date in MM/DD/YYYY format') %]</em>
282             </blockquote>
283         </p>
284         [% IF CGI.param('from_basket') %]
285           <blockquote><input type="checkbox" name="clear_cart" id="clear_cart" /><label for="clear_cart">[% l('Clear basket after holds are requested?') %]</label></blockquote>
286         [% END %]
287         <input id="place_hold_submit" type="submit" name="submit" 
288             value="[% l('Submit') %]" title="[% l('Submit') %]"
289             alt="[% l('Submit') %]" class="opac-button" />
290         [% END # some_holds_allowed %]
291         <input type="reset" name="cancel" onclick="window.location='[% redirect | html %]'" value="[% l('Cancel') %]" id="holds_cancel" class="opac-button" />
292     </form>
293 </div>
294