Bug 5920: Strip HTML from report exports

This patch uses HTML::Restrict to strip out HTML tags from the CSV download of reports. Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Lucas Gass <lucas@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2022-01-10 10:45:54 +01:00 · 2022-01-10 10:45:54 +01:00 · 0d9ebbe956
commit 0d9ebbe956
parent 4da2e1444b
1 changed files with 10 additions and 5 deletions
--- a/reports/guided_reports.pl
+++ b/reports/guided_reports.pl
@ -40,6 +40,7 @@ use Koha::Util::OpenDocument qw( generate_ods );
 use Koha::Notice::Templates;
 use Koha::TemplateUtils qw( process_tt );
 use C4::ClassSource qw( GetClassSources );
+use HTML::Restrict;

 =head1 NAME

@ -620,6 +621,7 @@ elsif ($op eq 'export'){
    my $format         = $input->param('format');
    my $reportname     = $input->param('reportname');
    my $reportfilename = $reportname ? "$reportname-reportresults.$format" : "reportresults.$format" ;
+    my $hr             = HTML::Restrict->new();

    ($sql, undef) = $report->prep_report( \@param_names, \@sql_params );
    my ( $sth, $q_errors ) = execute_query( { sql => $sql, report_id => $report_id } );
@ -628,9 +630,9 @@ elsif ($op eq 'export'){
        if ($format eq 'tab') {
            $type = 'application/octet-stream';
            $content .= join("\t", header_cell_values($sth)) . "\n";
-            $content = Encode::decode('UTF-8', $content);
+            $content = $hr->process(Encode::decode('UTF-8', $content));
            while (my $row = $sth->fetchrow_arrayref()) {
-                $content .= join("\t", map { $_ // '' } @$row) . "\n";
+                $content .= join("\t", $hr->process(@$row)) . "\n";
            }
        } else {
            if ( $format eq 'csv' ) {
@ -639,13 +641,15 @@ elsif ($op eq 'export'){
                my $csv = Text::CSV::Encoded->new({ encoding_out => 'UTF-8', sep_char => $delimiter});
                $csv or die "Text::CSV::Encoded->new({binary => 1}) FAILED: " . Text::CSV::Encoded->error_diag();
                if ($csv->combine(header_cell_values($sth))) {
-                    $content .= Encode::decode('UTF-8', $csv->string()) . "\n";
+                    $content .= $hr->process(Encode::decode('UTF-8', $csv->string())) . "\n";
+
                } else {
                    push @$q_errors, { combine => 'HEADER ROW: ' . $csv->error_diag() } ;
                }
                while (my $row = $sth->fetchrow_arrayref()) {
                    if ($csv->combine(@$row)) {
-                        $content .= $csv->string() . "\n";
+                        $content .= $hr->process($csv->string()) . "\n";
+
                    } else {
                        push @$q_errors, { combine => $csv->error_diag() } ;
                    }
@ -666,7 +670,8 @@ elsif ($op eq 'export'){
                foreach my $sql_row ( @$sql_rows ) {
                    my @content_row;
                    foreach my $sql_cell ( @$sql_row ) {
-                        push @content_row, Encode::encode( 'UTF8', $sql_cell );
+                        push @content_row, $hr->process(Encode::encode( 'UTF8', $sql_cell ));
+
                    }
                    push @$ods_content, \@content_row;
                }