From 0d9ebbe95663355c1a39cf41524b1f5fcdbe83e1 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Mon, 10 Jan 2022 10:45:54 +0100 Subject: [PATCH] Bug 5920: Strip HTML from report exports This patch uses HTML::Restrict to strip out HTML tags from the CSV download of reports. Signed-off-by: Martin Renvoize Signed-off-by: Lucas Gass Signed-off-by: Kyle M Hall Signed-off-by: Katrin Fischer --- reports/guided_reports.pl | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/reports/guided_reports.pl b/reports/guided_reports.pl index 57b7abd06e..a4e6bdd3bb 100755 --- a/reports/guided_reports.pl +++ b/reports/guided_reports.pl @@ -40,6 +40,7 @@ use Koha::Util::OpenDocument qw( generate_ods ); use Koha::Notice::Templates; use Koha::TemplateUtils qw( process_tt ); use C4::ClassSource qw( GetClassSources ); +use HTML::Restrict; =head1 NAME @@ -620,6 +621,7 @@ elsif ($op eq 'export'){ my $format = $input->param('format'); my $reportname = $input->param('reportname'); my $reportfilename = $reportname ? "$reportname-reportresults.$format" : "reportresults.$format" ; + my $hr = HTML::Restrict->new(); ($sql, undef) = $report->prep_report( \@param_names, \@sql_params ); my ( $sth, $q_errors ) = execute_query( { sql => $sql, report_id => $report_id } ); @@ -628,9 +630,9 @@ elsif ($op eq 'export'){ if ($format eq 'tab') { $type = 'application/octet-stream'; $content .= join("\t", header_cell_values($sth)) . "\n"; - $content = Encode::decode('UTF-8', $content); + $content = $hr->process(Encode::decode('UTF-8', $content)); while (my $row = $sth->fetchrow_arrayref()) { - $content .= join("\t", map { $_ // '' } @$row) . "\n"; + $content .= join("\t", $hr->process(@$row)) . "\n"; } } else { if ( $format eq 'csv' ) { @@ -639,13 +641,15 @@ elsif ($op eq 'export'){ my $csv = Text::CSV::Encoded->new({ encoding_out => 'UTF-8', sep_char => $delimiter}); $csv or die "Text::CSV::Encoded->new({binary => 1}) FAILED: " . Text::CSV::Encoded->error_diag(); if ($csv->combine(header_cell_values($sth))) { - $content .= Encode::decode('UTF-8', $csv->string()) . "\n"; + $content .= $hr->process(Encode::decode('UTF-8', $csv->string())) . "\n"; + } else { push @$q_errors, { combine => 'HEADER ROW: ' . $csv->error_diag() } ; } while (my $row = $sth->fetchrow_arrayref()) { if ($csv->combine(@$row)) { - $content .= $csv->string() . "\n"; + $content .= $hr->process($csv->string()) . "\n"; + } else { push @$q_errors, { combine => $csv->error_diag() } ; } @@ -666,7 +670,8 @@ elsif ($op eq 'export'){ foreach my $sql_row ( @$sql_rows ) { my @content_row; foreach my $sql_cell ( @$sql_row ) { - push @content_row, Encode::encode( 'UTF8', $sql_cell ); + push @content_row, $hr->process(Encode::encode( 'UTF8', $sql_cell )); + } push @$ods_content, \@content_row; } -- 2.39.5