From be18ee7aa517f647ecb83fe1349af8c88f3e15f8 Mon Sep 17 00:00:00 2001 From: Fridolin Somers Date: Tue, 11 Jan 2022 19:40:35 -1000 Subject: [PATCH] Bug 29853: Add HTML filter before KohaSpan filter MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Usage of Template Toolkit plugin KohaSpan as filter is actually : Group [% added.title | $KohaSpan class = 'name' | $raw %] created. But KohaSpan filter does not escape HTML characters. Whe should filter HTML then KohaSpan. This patch adds TT html filter before KohaSpan. Also replaces in Javascript html() with text() to ensure special caracters are still encoded. See https://api.jquery.com/text/ Test plan : 1) Create a library with name Libra'rie 2) Create a library group with name Grou'pe 3) Play with this group 4) Add library 5) Remove library 6) Edit group 7) Delete group 8) Each time check that &apos, is not interpreted as single quote Signed-off-by: Solène Desvaux Signed-off-by: Jonathan Druart Signed-off-by: Fridolin Somers --- .../prog/en/modules/admin/library_groups.tt | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/library_groups.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/library_groups.tt index d483b056b0..94e1ec0af4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/admin/library_groups.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/admin/library_groups.tt @@ -40,22 +40,22 @@ [% IF added %]
[% IF added.branchcode %] - [% added.library.branchname | $KohaSpan class = 'name' | $raw %] added to group. + [% added.library.branchname | html | $KohaSpan class = 'name' %] added to group. [% ELSE %] - Group [% added.title | $KohaSpan class = 'name' | $raw %] created. + Group [% added.title | html | $KohaSpan class = 'name' %] created. [% END %]
[% ELSIF deleted %]
[% IF deleted.title %] - Group [% deleted.title | $KohaSpan class = 'name' | $raw %] has been deleted. + Group [% deleted.title | html | $KohaSpan class = 'name' %] has been deleted. [% ELSE %] - [% deleted.library | $KohaSpan class = 'name' | $raw %] has been removed from group. + [% deleted.library | html | $KohaSpan class = 'name' %] has been removed from group. [% END %]
[% ELSIF error_duplicate_title %]
- A group with the title [% error_duplicate_title | $KohaSpan class = 'name' | $raw %] already exists. + A group with the title [% error_duplicate_title | html | $KohaSpan class = 'name' %] already exists.
[% END %] @@ -359,14 +359,14 @@ } function delete_group( id, title ) { - $('#delete-group-modal-title').html(title); + $('#delete-group-modal-title').text( title ); $('#delete-group-modal-id').val( id ); $('#delete-group-modal').modal('show'); } function remove_library( id, library, parent_title ) { - $('#remove-library-modal-library').html( library ); - $('#remove-library-modal-group').html(parent_title); + $('#remove-library-modal-library').text( library ); + $('#remove-library-modal-group').text( parent_title ); $('#remove-library-modal-id').val( id ); $('#remove-library-modal').modal('show'); } -- 2.39.5