Incremental fix for Bug 2847, Use HTML escape in templates where appropriate

Fixes for output in a couple of acquisitions templates where user-generated data should be escaped. This instances were found by creating a vendor name like "Baker & Taylor" and finding that the ampersand was not escaped, causing validation errors. This patch also consolidates multiple <script> blocks which do not need to be separate and corrects a couple of unclosed <input> tags. Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
2011-11-11 12:34:44 -05:00 · 2011-11-11 12:34:44 -05:00 · bfe06ef399
commit bfe06ef399
parent 440c0f21ee
2 changed files with 8 additions and 15 deletions
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
@ -11,13 +11,13 @@
 	<p class="tip">Search orders:</p>
 	
 		<form action="/cgi-bin/koha/acqui/histsearch.pl" method="post">
-		<label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name %]" />
+		<label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name|html %]" />
        <span class="filteraction" id="filteraction_off" style="display:none"> <a href="#" onclick="$('#filters').toggle();$('.filteraction').hide();">[-]</a></span>
        <span class="filteraction" id="filteraction_on"> <a href="#" onclick="$('#filters').show();$('.filteraction').toggle();">[+]</a></span>
 	<input value="Submit" class="submit" type="submit" /> <a href="/cgi-bin/koha/acqui/histsearch.pl">Advanced Search</a>
    <p id="filters" style="display:none">
-      <label for="basket">Basket: </label><input type="text" name="basket" id="basket">
-      <label for="booksellerinvoicenumber">Invoice No.: </label><input type="text" name="booksellerinvoicenumber" id="booksellerinvoicenumber">
+      <label for="basket">Basket: </label><input type="text" name="basket" id="basket" />
+      <label for="booksellerinvoicenumber">Invoice No.: </label><input type="text" name="booksellerinvoicenumber" id="booksellerinvoicenumber" />
    </p>
 	</form>
 	</div>	
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@ -1,5 +1,5 @@
 [% INCLUDE 'doc-head-open.inc' %]
-<title>Koha &rsaquo; Acquisitions &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</title>
+<title>Koha &rsaquo; Acquisitions &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</title>
 [% INCLUDE 'doc-head-close.inc' %]
 [% UNLESS ( closedate ) %]
 <script type="text/javascript" src="[% themelang %]/lib/jquery/plugins/jquery.tablesorter.min.js"></script>
@ -13,20 +13,13 @@
            }
        });
    });
-//]]>
-</script>
-<script type="text/javascript">
-//<![CDATA[
            function confirm_close() {
                var is_confirmed = confirm(_('Are you sure you want to close this basket?'));
                if (is_confirmed) {
                    window.location = "[% script_name %]?op=close&basketno=[% basketno %]";
                }
            }
-//]]>
-        </script>
-<script type="text/javascript">
-//<![CDATA[
+
            function confirm_deletion() {
                var is_confirmed = confirm(_('Are you sure you want to delete this basket?'));
                if (is_confirmed) {
@ -72,7 +65,7 @@
 [% INCLUDE 'acquisitions-search.inc' %]


-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name %]</a> &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a> &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</div>

 <div id="doc3" class="yui-t2">

@ -148,7 +141,7 @@
            <h3>Basket deleted</h3>
            <META HTTP-EQUIV=Refresh CONTENT="0; url=booksellers.pl">
        [% ELSE %]
-        <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name %]</a></h1>
+        <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a></h1>
        [% IF ( delete_confirm ) %]
            <h2>
            <span class="yui-button yui-link-button">
@ -333,7 +326,7 @@
        <div id="closebasket_needsconfirmation" class="dialog alert">

        <form action="/cgi-bin/koha/acqui/basket.pl" class="confirm">
-            <h1>Are you sure you want to close basket [% basketname %]?</h1>
+            <h1>Are you sure you want to close basket [% basketname|html %]?</h1>
            <p>
            <label for="createbasketgroup">Attach this basket to a new basket group with the same name</label>
            <input type="checkbox" id="createbasketgroup" name="createbasketgroup"/>