git.koha-community.org Git - koha.git/commit

author	Phil Ringnalda <phil@chetcolibrary.org>
	Thu, 15 Aug 2024 22:41:18 +0000 (15:41 -0700)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Tue, 1 Oct 2024 13:13:27 +0000 (15:13 +0200)
commit	a7ea59a062c505ef7e80e28f6968a07e11bce762
tree	4f2c0280c5471b79963775d9b76422265f3fb44f	tree \| snapshot
parent	25856135c6e19fc559c33b5166348d1a053f9b76	commit \| diff

Bug 37655: Basic editor needs to HTML-escape the bib record title used as a heading

We stick the title of a bib record you are editing in the basic editor into
an <h1> without escaping any HTML it might contain. We should instead escape
it.

Test plan:

1. Without the patch, search for any record in the catalog and click Edit
   record (if you are in the advanced editor, switch to the basic one)
2. Tab 2, Field 245, Subfield a, paste <script>alert('boo ❤')</script><h2>
   at the end of the subfield
3. Save, then from the record detail page select Edit - Edit record
4. You will have gotten an alert(), and the entire form will be the size
   of an <h2>. That's ugly, so go back to the detail page.
5. Apply patch, restart_all
6. Edit - Edit record
7. Now you should not get an alert, the whole title inluding the <script>
   should display in italics, and the "(Record number nnn)" after it should
   not be italicized.

Signed-off-by: David Cook <dcook@prosentient.com.au>
(cherry picked from commit 0b1c2ba4b86f9aac615625f0456d81c2cf0ab4d7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>