Browse Source

Bug 33144: Unescape text from authority lookup for advanced editor

While the basic editor is happy with an array of subfields it can
stuff into separate fields, the advanced editor needs to get a JS
string back from the authority lookup plugin, because it is going
to just add the whole thing as text. The string has to be HTML
entity encoded, both to not allow XSS and just to not break the
window, but it needs to then be unencoded before being inserted
into the editor.

Test plan:
1. Set the system preference EnableAdvancedCatalogingEditor to
2. Edit any Topical Term authority, and at the end of tag 150
   subfield a, add & </script>
3. Cataloging - Advanced editor
4. Press return in the editor to get a new blank line, type 650
   and press tab three times, then type Ctrl-Shift-L
5. Search for your modified authority, and click Choose
6. Verify that the tiny popup opened by the search window finished
   its job and closed itself
7. Verify that your 650 now shows as "‡aAbduction &
   </script>‡vDrama" rather than "‡aAbduction  &amp;

Signed-off-by: Jonathan Druart <>
Signed-off-by: Katrin Fischer <>
Signed-off-by: Tomas Cohen Arazi <>
Phil Ringnalda 3 months ago
committed by Tomas Cohen Arazi
Signed by: tomascohen GPG Key ID: 0A272EA1B2F3C15F
  1. 2


@ -22,6 +22,8 @@
[% IF rancor %]
function RancorReplaceField( new_text, ind_1, ind_2 ){
var cur_field = opener.opener.jQuery(".CodeMirror")[0].CodeMirror.marceditor.getCurrentField();
// The new_text is entity-encoded and we want decoded text
new_text = new DOMParser().parseFromString(new_text, 'text/html').body.innerText;
[% IF update_ind1 %]cur_field.setIndicator1(ind_1);[% END %]
[% IF update_ind2 %]cur_field.setIndicator2(ind_2);[% END %]