From e171d5fdd319ec9d955992c9340bb9a1530e3aaf Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Sun, 5 Mar 2023 21:24:56 -0800 Subject: [PATCH] Bug 33144: Unescape text from authority lookup for advanced editor MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit While the basic editor is happy with an array of subfields it can stuff into separate fields, the advanced editor needs to get a JS string back from the authority lookup plugin, because it is going to just add the whole thing as text. The string has to be HTML entity encoded, both to not allow XSS and just to not break the window, but it needs to then be unencoded before being inserted into the editor. Test plan: 1. Set the system preference EnableAdvancedCatalogingEditor to Enable 2. Edit any Topical Term authority, and at the end of tag 150 subfield a, add & 3. Cataloging - Advanced editor 4. Press return in the editor to get a new blank line, type 650 and press tab three times, then type Ctrl-Shift-L 5. Search for your modified authority, and click Choose 6. Verify that the tiny popup opened by the search window finished its job and closed itself 7. Verify that your 650 now shows as "‡aAbduction & ‡vDrama" rather than "‡aAbduction & </script>‡vDrama." Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi --- .../prog/en/modules/authorities/blinddetail-biblio-search.tt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt index ee27c4c886..d72d51650c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/authorities/blinddetail-biblio-search.tt @@ -22,6 +22,8 @@ [% IF rancor %] function RancorReplaceField( new_text, ind_1, ind_2 ){ var cur_field = opener.opener.jQuery(".CodeMirror")[0].CodeMirror.marceditor.getCurrentField(); + // The new_text is entity-encoded and we want decoded text + new_text = new DOMParser().parseFromString(new_text, 'text/html').body.innerText; cur_field.setText(new_text); [% IF update_ind1 %]cur_field.setIndicator1(ind_1);[% END %] [% IF update_ind2 %]cur_field.setIndicator2(ind_2);[% END %] -- 2.39.5