From bdf0d85c1de9cbb37cc8a40b0b4a2e86633d3aaf Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 8 Jun 2018 12:19:41 -0300 Subject: [PATCH] Bug 20891: Escape html then JSON To my understanding we need to escape first html chars then to JSON. If this patch works we will need to rethink the 'To' TT plugin. It was originally designed to have several escape methods, but with these changes it will not make sense to name it 'To' if used only to escape JSON IIRC we should keep the 2 different ways to use it: * [% To.json( string ) %] * [% string | $To %] otherwise it will be hard to use it when called in argument of patron-title.inc (`git grep To.json`) Signed-off-by: Liz Rea Signed-off-by: Katrin Fischer Signed-off-by: Nick Clemens --- Koha/Template/Plugin/To.pm | 9 ++++++++- .../en/modules/virtualshelves/tables/shelves_results.tt | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Koha/Template/Plugin/To.pm b/Koha/Template/Plugin/To.pm index f87a39c64c..b0a03c4b8c 100644 --- a/Koha/Template/Plugin/To.pm +++ b/Koha/Template/Plugin/To.pm @@ -19,9 +19,11 @@ package Koha::Template::Plugin::To; use Modern::Perl; -use base qw( Template::Plugin ); +use Template::Plugin::Filter; +use base qw( Template::Plugin::Filter ); use JSON qw( to_json ); +our $DYNAMIC = 1; sub json { my ( $self, $value ) = @_; @@ -34,4 +36,9 @@ sub json { return $json; } +sub filter { + my ( $self, $value ) = @_; + return $self->json($value); +} + 1; diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt index d904057507..8a1dbdc18b 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt @@ -11,13 +11,13 @@ "dt_type": "[% data.type | html %]", "dt_shelfname": - "[% To.json(data.shelfname) | html%]", + "[% data.shelfname | html | $To %]", "dt_count": "[% data.count | html %] item(s)", "dt_is_shared": "[% IF data.type == 2 %]Public[% ELSIF data.is_shared %]Shared[% ELSE %]Private[% END %]", "dt_owner": - "[% To.json(data.firstname) | html %] [% To.json(data.surname) | html %]", + "[% data.firstname | html | $To %] [% data.surname | html | $To %]", "dt_sortby": [% IF data.sortby == "author" %]"Author"[% ELSIF data.sortby == "copyrightdate" %]"Year"[% ELSIF data.sortby == "itemcallnumber" %]"Call number"[% ELSIF data.sortby == "dateadded" %]"Date added"[% ELSE %]"Title"[% END %], "dt_created_on": -- 2.39.5