Bug 19086 XSS in members/member.pl
[koha.git] / C4 / XSLT.pm
blobbf2647ab74dd7d0883f56e58cf6e576b486e3698
1 package C4::XSLT;
3 # Copyright (C) 2006 LibLime
4 # <jmf at liblime dot com>
5 # Parts Copyright Katrin Fischer 2011
6 # Parts Copyright ByWater Solutions 2011
7 # Parts Copyright Biblibre 2012
9 # This file is part of Koha.
11 # Koha is free software; you can redistribute it and/or modify it
12 # under the terms of the GNU General Public License as published by
13 # the Free Software Foundation; either version 3 of the License, or
14 # (at your option) any later version.
16 # Koha is distributed in the hope that it will be useful, but
17 # WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
21 # You should have received a copy of the GNU General Public License
22 # along with Koha; if not, see <http://www.gnu.org/licenses>.
24 use Modern::Perl;
26 use C4::Context;
27 use C4::Items;
28 use C4::Koha;
29 use C4::Biblio;
30 use C4::Circulation;
31 use C4::Reserves;
32 use Koha::AuthorisedValues;
33 use Koha::ItemTypes;
34 use Koha::XSLT_Handler;
35 use Koha::Libraries;
37 use Encode;
39 use vars qw(@ISA @EXPORT);
41 my $engine; #XSLT Handler object
42 my %authval_per_framework;
43 # Cache for tagfield-tagsubfield to decode per framework.
44 # Should be preferably be placed in Koha-core...
46 BEGIN {
47 require Exporter;
48 @ISA = qw(Exporter);
49 @EXPORT = qw(
50 &XSLTParse4Display
52 $engine=Koha::XSLT_Handler->new( { do_not_return_source => 1 } );
55 =head1 NAME
57 C4::XSLT - Functions for displaying XSLT-generated content
59 =head1 FUNCTIONS
61 =head2 transformMARCXML4XSLT
63 Replaces codes with authorized values in a MARC::Record object
64 Is only used in this module currently.
66 =cut
68 sub transformMARCXML4XSLT {
69 my ($biblionumber, $record) = @_;
70 my $frameworkcode = GetFrameworkCode($biblionumber) || '';
71 my $tagslib = &GetMarcStructure(1, $frameworkcode, { unsafe => 1 });
72 my @fields;
73 # FIXME: wish there was a better way to handle exceptions
74 eval {
75 @fields = $record->fields();
77 if ($@) { warn "PROBLEM WITH RECORD"; next; }
78 my $marcflavour = C4::Context->preference('marcflavour');
79 my $av = getAuthorisedValues4MARCSubfields($frameworkcode);
80 foreach my $tag ( keys %$av ) {
81 foreach my $field ( $record->field( $tag ) ) {
82 if ( $av->{ $tag } ) {
83 my @new_subfields = ();
84 for my $subfield ( $field->subfields() ) {
85 my ( $letter, $value ) = @$subfield;
86 # Replace the field value with the authorised value *except* for MARC21/NORMARC field 942$n (suppression in opac)
87 if ( !( $tag eq '942' && $subfield eq 'n' ) || $marcflavour eq 'UNIMARC' ) {
88 $value = GetAuthorisedValueDesc( $tag, $letter, $value, '', $tagslib )
89 if $av->{ $tag }->{ $letter };
91 push( @new_subfields, $letter, $value );
93 $field ->replace_with( MARC::Field->new(
94 $tag,
95 $field->indicator(1),
96 $field->indicator(2),
97 @new_subfields
98 ) );
102 return $record;
105 =head2 getAuthorisedValues4MARCSubfields
107 Returns a ref of hash of ref of hash for tag -> letter controlled by authorised values
108 Is only used in this module currently.
110 =cut
112 sub getAuthorisedValues4MARCSubfields {
113 my ($frameworkcode) = @_;
114 unless ( $authval_per_framework{ $frameworkcode } ) {
115 my $dbh = C4::Context->dbh;
116 my $sth = $dbh->prepare("SELECT DISTINCT tagfield, tagsubfield
117 FROM marc_subfield_structure
118 WHERE authorised_value IS NOT NULL
119 AND authorised_value!=''
120 AND frameworkcode=?");
121 $sth->execute( $frameworkcode );
122 my $av = { };
123 while ( my ( $tag, $letter ) = $sth->fetchrow() ) {
124 $av->{ $tag }->{ $letter } = 1;
126 $authval_per_framework{ $frameworkcode } = $av;
128 return $authval_per_framework{ $frameworkcode };
131 =head2 XSLTParse4Display
133 Returns xml for biblionumber and requested XSLT transformation.
134 Returns undef if the transform fails.
136 Used in OPAC results and detail, intranet results and detail, list display.
137 (Depending on the settings of your XSLT preferences.)
139 The helper function _get_best_default_xslt_filename is used in a unit test.
141 =cut
143 sub _get_best_default_xslt_filename {
144 my ($htdocs, $theme, $lang, $base_xslfile) = @_;
146 my @candidates = (
147 "$htdocs/$theme/$lang/xslt/${base_xslfile}", # exact match
148 "$htdocs/$theme/en/xslt/${base_xslfile}", # if not, preferred theme in English
149 "$htdocs/prog/$lang/xslt/${base_xslfile}", # if not, 'prog' theme in preferred language
150 "$htdocs/prog/en/xslt/${base_xslfile}", # otherwise, prog theme in English; should always
151 # exist
153 my $xslfilename;
154 foreach my $filename (@candidates) {
155 $xslfilename = $filename;
156 if (-f $filename) {
157 last; # we have a winner!
160 return $xslfilename;
163 sub get_xslt_sysprefs {
164 my $sysxml = "<sysprefs>\n";
165 foreach my $syspref ( qw/ hidelostitems OPACURLOpenInNewWindow
166 DisplayOPACiconsXSLT URLLinkText viewISBD
167 OPACBaseURL TraceCompleteSubfields UseICU
168 UseAuthoritiesForTracings TraceSubjectSubdivisions
169 Display856uAsImage OPACDisplay856uAsImage
170 UseControlNumber IntranetBiblioDefaultView BiblioDefaultView
171 OPACItemLocation DisplayIconsXSLT
172 AlternateHoldingsField AlternateHoldingsSeparator
173 TrackClicks opacthemes IdRef OpacSuppression
174 OPACResultsLibrary / )
176 my $sp = C4::Context->preference( $syspref );
177 next unless defined($sp);
178 $sysxml .= "<syspref name=\"$syspref\">$sp</syspref>\n";
181 # singleBranchMode was a system preference, but no longer is
182 # we can retain it here for compatibility
183 my $singleBranchMode = Koha::Libraries->search->count == 1 ? 1 : 0;
184 $sysxml .= "<syspref name=\"singleBranchMode\">$singleBranchMode</syspref>\n";
186 $sysxml .= "</sysprefs>\n";
187 return $sysxml;
190 sub XSLTParse4Display {
191 my ( $biblionumber, $orig_record, $xslsyspref, $fixamps, $hidden_items, $sysxml, $xslfilename, $lang ) = @_;
193 $sysxml ||= C4::Context->preference($xslsyspref);
194 $xslfilename ||= C4::Context->preference($xslsyspref);
195 $lang ||= C4::Languages::getlanguage();
197 if ( $xslfilename =~ /^\s*"?default"?\s*$/i ) {
198 my $htdocs;
199 my $theme;
200 my $xslfile;
201 if ($xslsyspref eq "XSLTDetailsDisplay") {
202 $htdocs = C4::Context->config('intrahtdocs');
203 $theme = C4::Context->preference("template");
204 $xslfile = C4::Context->preference('marcflavour') .
205 "slim2intranetDetail.xsl";
206 } elsif ($xslsyspref eq "XSLTResultsDisplay") {
207 $htdocs = C4::Context->config('intrahtdocs');
208 $theme = C4::Context->preference("template");
209 $xslfile = C4::Context->preference('marcflavour') .
210 "slim2intranetResults.xsl";
211 } elsif ($xslsyspref eq "OPACXSLTDetailsDisplay") {
212 $htdocs = C4::Context->config('opachtdocs');
213 $theme = C4::Context->preference("opacthemes");
214 $xslfile = C4::Context->preference('marcflavour') .
215 "slim2OPACDetail.xsl";
216 } elsif ($xslsyspref eq "OPACXSLTResultsDisplay") {
217 $htdocs = C4::Context->config('opachtdocs');
218 $theme = C4::Context->preference("opacthemes");
219 $xslfile = C4::Context->preference('marcflavour') .
220 "slim2OPACResults.xsl";
221 } elsif ($xslsyspref eq 'XSLTListsDisplay') {
222 # Lists default to *Results.xslt
223 $htdocs = C4::Context->config('intrahtdocs');
224 $theme = C4::Context->preference("template");
225 $xslfile = C4::Context->preference('marcflavour') .
226 "slim2intranetResults.xsl";
227 } elsif ($xslsyspref eq 'OPACXSLTListsDisplay') {
228 # Lists default to *Results.xslt
229 $htdocs = C4::Context->config('opachtdocs');
230 $theme = C4::Context->preference("opacthemes");
231 $xslfile = C4::Context->preference('marcflavour') .
232 "slim2OPACResults.xsl";
234 $xslfilename = _get_best_default_xslt_filename($htdocs, $theme, $lang, $xslfile);
237 if ( $xslfilename =~ m/\{langcode\}/ ) {
238 $xslfilename =~ s/\{langcode\}/$lang/;
241 # grab the XML, run it through our stylesheet, push it out to the browser
242 my $record = transformMARCXML4XSLT($biblionumber, $orig_record);
243 my $itemsxml = buildKohaItemsNamespace($biblionumber, $hidden_items);
244 my $xmlrecord = $record->as_xml(C4::Context->preference('marcflavour'));
246 $xmlrecord =~ s/\<\/record\>/$itemsxml$sysxml\<\/record\>/;
247 if ($fixamps) { # We need to correct the HTML entities that Zebra outputs
248 $xmlrecord =~ s/\&amp;amp;/\&amp;/g;
249 $xmlrecord =~ s/\&amp\;lt\;/\&lt\;/g;
250 $xmlrecord =~ s/\&amp\;gt\;/\&gt\;/g;
252 $xmlrecord =~ s/\& /\&amp\; /;
253 $xmlrecord =~ s/\&amp\;amp\; /\&amp\; /;
255 #If the xslt should fail, we will return undef (old behavior was
256 #raw MARC)
257 #Note that we did set do_not_return_source at object construction
258 return $engine->transform($xmlrecord, $xslfilename ); #file or URL
261 =head2 buildKohaItemsNamespace
263 Returns XML for items.
264 Is only used in this module currently.
266 =cut
268 sub buildKohaItemsNamespace {
269 my ($biblionumber, $hidden_items) = @_;
271 my @items = C4::Items::GetItemsInfo($biblionumber);
272 if ($hidden_items && @$hidden_items) {
273 my %hi = map {$_ => 1} @$hidden_items;
274 @items = grep { !$hi{$_->{itemnumber}} } @items;
277 my $shelflocations =
278 { map { $_->{authorised_value} => $_->{opac_description} } Koha::AuthorisedValues->get_descriptions_by_koha_field( { frameworkcode => GetFrameworkCode($biblionumber), kohafield => 'items.location' } ) };
279 my $ccodes =
280 { map { $_->{authorised_value} => $_->{opac_description} } Koha::AuthorisedValues->get_descriptions_by_koha_field( { frameworkcode => GetFrameworkCode($biblionumber), kohafield => 'items.ccode' } ) };
282 my %branches = map { $_->branchcode => $_->branchname } Koha::Libraries->search({}, { order_by => 'branchname' });
284 my $itemtypes = { map { $_->{itemtype} => $_ } @{ Koha::ItemTypes->search->unblessed } };
285 my $location = "";
286 my $ccode = "";
287 my $xml = '';
288 for my $item (@items) {
289 my $status;
291 my ( $transfertwhen, $transfertfrom, $transfertto ) = C4::Circulation::GetTransfers($item->{itemnumber});
293 my $reservestatus = C4::Reserves::GetReserveStatus( $item->{itemnumber} );
295 if ( ( $item->{itype} && $itemtypes->{ $item->{itype} }->{notforloan} ) || $item->{notforloan} || $item->{onloan} || $item->{withdrawn} || $item->{itemlost} || $item->{damaged} ||
296 (defined $transfertwhen && $transfertwhen ne '') || $item->{itemnotforloan} || (defined $reservestatus && $reservestatus eq "Waiting") ){
297 if ( $item->{notforloan} < 0) {
298 $status = "On order";
300 if ( $item->{itemnotforloan} && $item->{itemnotforloan} > 0 || $item->{notforloan} && $item->{notforloan} > 0 || $item->{itype} && $itemtypes->{ $item->{itype} }->{notforloan} && $itemtypes->{ $item->{itype} }->{notforloan} == 1 ) {
301 $status = "reference";
303 if ($item->{onloan}) {
304 $status = "Checked out";
306 if ( $item->{withdrawn}) {
307 $status = "Withdrawn";
309 if ($item->{itemlost}) {
310 $status = "Lost";
312 if ($item->{damaged}) {
313 $status = "Damaged";
315 if (defined $transfertwhen && $transfertwhen ne '') {
316 $status = 'In transit';
318 if (defined $reservestatus && $reservestatus eq "Waiting") {
319 $status = 'Waiting';
321 } else {
322 $status = "available";
324 my $homebranch = $item->{homebranch}? xml_escape($branches{$item->{homebranch}}):'';
325 my $holdingbranch = $item->{holdingbranch}? xml_escape($branches{$item->{holdingbranch}}):'';
326 $location = $item->{location}? xml_escape($shelflocations->{$item->{location}}||$item->{location}):'';
327 $ccode = $item->{ccode}? xml_escape($ccodes->{$item->{ccode}}||$item->{ccode}):'';
328 my $itemcallnumber = xml_escape($item->{itemcallnumber});
329 my $stocknumber = $item->{stocknumber}? xml_escape($item->{stocknumber}):'';
330 $xml .=
331 "<item>"
332 . "<homebranch>$homebranch</homebranch>"
333 . "<holdingbranch>$holdingbranch</holdingbranch>"
334 . "<location>$location</location>"
335 . "<ccode>$ccode</ccode>"
336 . "<status>".( $status // q{} )."</status>"
337 . "<itemcallnumber>$itemcallnumber</itemcallnumber>"
338 . "<stocknumber>$stocknumber</stocknumber>"
339 . "</item>";
341 $xml = "<items xmlns=\"http://www.koha-community.org/items\">".$xml."</items>";
342 return $xml;
345 =head2 engine
347 Returns reference to XSLT handler object.
349 =cut
351 sub engine {
352 return $engine;
357 __END__
359 =head1 AUTHOR
361 Joshua Ferraro <jmf@liblime.com>
363 Koha Development Team <http://koha-community.org/>
365 =cut