From 3d8c3cb218404844ecc3611ef32199336cf51012 Mon Sep 17 00:00:00 2001
From: Lucas Gass <lucas@bywatersolutions.com>
Date: Mon, 30 Sep 2024 19:05:18 +0000
Subject: [PATCH] Revert "Bug 37720: Prevent XSS in label creator"

This reverts commit 6b844169fd06b2954146a6eae41adcfffd1e31fb.

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 C4/Creators/Lib.pm                                           | 3 ++-
 .../intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt | 5 +----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/C4/Creators/Lib.pm b/C4/Creators/Lib.pm
index 169ba008de..d4831ab479 100644
--- a/C4/Creators/Lib.pm
+++ b/C4/Creators/Lib.pm
@@ -345,7 +345,8 @@ sub get_label_summary {
         $record->{'title'} =~ s/\W*$//;  # strip off ugly trailing chars
         # FIXME contructing staff interface URLs should be done *much* higher up the stack - for the most part, C4 module code
         # should not know that it's part of a web app
-        $label_summary->{'_summary'} = { title => $record->{title}, author => $record->{author}, biblionumber => $record->{biblionumber} };
+        $record->{'title'} = '<a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=' . $record->{'biblionumber'} . '"> ' . $record->{'title'} . '</a>';
+        $label_summary->{'_summary'} = $record->{'title'} . " | " . ($record->{'author'} ? $record->{'author'} : 'N/A');
         $label_summary->{'_item_type'} = C4::Context->preference("item-level_itypes") ? $record->{'itype'} : $record->{'itemtype'};
         $label_summary->{'_barcode'} = $record->{'barcode'};
         $label_summary->{'_item_number'} = $item->{'item_number'};
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt
index 40630b6dca..ddf93049e0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/labels/label-edit-batch.tt
@@ -175,11 +175,8 @@
                                                                     <td>
                                                                         [% IF ( text_field.field_name == '_item_type_tbl' ) %]
                                                                             [% ItemTypes.GetDescription( text_field.field_value ) | html %]
-                                                                        [% ELSIF ( text_field.field_name == '_summary_tbl' ) %]
-                                                                            <a href="/cgi-bin/koha/catalogue/detail.pl?biblionumber=[% text_field.field_value.biblionumber | uri %]">[% text_field.field_value.title | html %]</a>
-                                                                            [% IF text_field.field_value.author %]| [% text_field.field_value.author | html %][% END %]
                                                                         [% ELSE %]
-                                                                            [% text_field.field_value | html %]
+                                                                            [% text_field.field_value | $raw %]
                                                                         [% END %]
                                                                     </td>
                                                                 [% END %]
-- 
2.39.5