While the basic editor is happy with an array of subfields it can
stuff into separate fields, the advanced editor needs to get a JS
string back from the authority lookup plugin, because it is going
to just add the whole thing as text. The string has to be HTML
entity encoded, both to not allow XSS and just to not break the
window, but it needs to then be unencoded before being inserted
into the editor.
Test plan:
1. Set the system preference EnableAdvancedCatalogingEditor to
Enable
2. Edit any Topical Term authority, and at the end of tag 150
subfield a, add & </script>
3. Cataloging - Advanced editor
4. Press return in the editor to get a new blank line, type 650
and press tab three times, then type Ctrl-Shift-L
5. Search for your modified authority, and click Choose
6. Verify that the tiny popup opened by the search window finished
its job and closed itself
7. Verify that your 650 now shows as "‡aAbduction &
</script>‡vDrama" rather than "‡aAbduction &
</script>‡vDrama."
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
e171d5fdd3
