From cef24888bdf188857511136afd3d35ec607a0ca3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 9 Aug 2018 12:32:49 -0300 Subject: [PATCH] Bug 13618: Escape HTML chars in checkouts.js On the way the itemtype is not displaying correctly the description instead of the code (in the relative's checkouts table) Signed-off-by: Owen Leonard Signed-off-by: Martin Renvoize Signed-off-by: Nick Clemens --- koha-tmpl/intranet-tmpl/prog/js/checkouts.js | 91 ++++++++++++++------ 1 file changed, 65 insertions(+), 26 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/js/checkouts.js b/koha-tmpl/intranet-tmpl/prog/js/checkouts.js index d6cd4b8fb4..b5edf4843f 100644 --- a/koha-tmpl/intranet-tmpl/prog/js/checkouts.js +++ b/koha-tmpl/intranet-tmpl/prog/js/checkouts.js @@ -219,11 +219,11 @@ $(document).ready(function() { due = "" + due + ""; if ( oObj.lost ) { - due += "" + oObj.lost + ""; + due += "" + oObj.lost.escapeHtml() + ""; } if ( oObj.damaged ) { - due += "" + oObj.damaged + ""; + due += "" + oObj.damaged.escapeHtml() + ""; } var patron_note = " "; @@ -237,20 +237,20 @@ $(document).ready(function() { title = "" - + oObj.title; + + oObj.title.escapeHtml(); $.each(oObj.subtitle, function( index, value ) { - title += " " + value.subfield; + title += " " + value.subfield.escapeHtml(); }); if ( oObj.enumchron ) { - title += " (" + oObj.enumchron + ")"; + title += " (" + oObj.enumchron.escapeHtml() + ")"; } title += ""; if ( oObj.author ) { - title += " " + BY.replace( "_AUTHOR_", " " + oObj.author ); + title += " " + BY.replace( "_AUTHOR_", " " + oObj.author.escapeHtml() ); } if ( oObj.itemnotes ) { @@ -258,7 +258,7 @@ $(document).ready(function() { if ( $.datepicker.formatDate('yy-mm-dd', new Date(oObj.issuedate) ) == ymd ) { span_class = "circ-hlt"; } - title += " - " + oObj.itemnotes + ""; + title += " - " + oObj.itemnotes.escapeHtml() + ""; } if ( oObj.itemnotes_nonpublic ) { @@ -266,7 +266,7 @@ $(document).ready(function() { if ( $.datepicker.formatDate('yy-mm-dd', new Date(oObj.issuedate) ) == ymd ) { span_class = "circ-hlt"; } - title += " - " + oObj.itemnotes_nonpublic + ""; + title += " - " + oObj.itemnotes_nonpublic.escapeHtml() + ""; } var onsite_checkout = ''; @@ -282,7 +282,7 @@ $(document).ready(function() { + "#" + oObj.itemnumber + "'>" - + oObj.barcode + + oObj.barcode.escapeHtml() + "" + onsite_checkout @@ -290,12 +290,32 @@ $(document).ready(function() { }, "sType": "anti-the" }, - { "mDataProp": "itemtype_description" }, - { "mDataProp": "location" }, - { "mDataProp": "homebranch" }, + { + "mDataProp": function ( oObj ) { + return oObj.itemtype_description.escapeHtml(); + } + }, + { + "mDataProp": function ( oObj ) { + return oObj.location.escapeHtml(); + } + }, + { + "mDataProp": function ( oObj ) { + return oObj.homebranch.escapeHtml(); + } + }, { "mDataProp": "issuedate_formatted" }, - { "mDataProp": "branchname" }, - { "mDataProp": "itemcallnumber" }, + { + "mDataProp": function ( oObj ) { + return oObj.branchname.escapeHtml(); + } + }, + { + "mDataProp": function ( oObj ) { + return oObj.itemcallnumber.escapeHtml(); + } + }, { "mDataProp": function ( oObj ) { if ( ! oObj.charge ) oObj.charge = 0; @@ -553,20 +573,20 @@ $(document).ready(function() { title = "" - + oObj.title; + + oObj.title.escapeHtml(); $.each(oObj.subtitle, function( index, value ) { - title += " " + value.subfield; + title += " " + value.subfield.escapeHtml(); }); if ( oObj.enumchron ) { - title += " (" + oObj.enumchron + ")"; + title += " (" + oObj.enumchron.escapeHtml() + ")"; } title += ""; if ( oObj.author ) { - title += " " + BY.replace( "_AUTHOR_", " " + oObj.author ); + title += " " + BY.replace( "_AUTHOR_", " " + oObj.author.escapeHtml() ); } if ( oObj.itemnotes ) { @@ -574,7 +594,7 @@ $(document).ready(function() { if ( $.datepicker.formatDate('yy-mm-dd', new Date(oObj.issuedate) ) == ymd ) { span_class = "circ-hlt"; } - title += " - " + oObj.itemnotes + "" + title += " - " + oObj.itemnotes.escapeHtml() + "" } if ( oObj.itemnotes_nonpublic ) { @@ -582,7 +602,7 @@ $(document).ready(function() { if ( $.datepicker.formatDate('yy-mm-dd', new Date(oObj.issuedate) ) == ymd ) { span_class = "circ-hlt"; } - title += " - " + oObj.itemnotes_nonpublic + "" + title += " - " + oObj.itemnotes_nonpublic.escapeHtml() + "" } var onsite_checkout = ''; @@ -598,7 +618,7 @@ $(document).ready(function() { + "#" + oObj.itemnumber + "'>" - + oObj.barcode + + oObj.barcode.escapeHtml() + "" + onsite_checkout; @@ -606,11 +626,27 @@ $(document).ready(function() { }, "sType": "anti-the" }, - { "mDataProp": "itemtype" }, - { "mDataProp": "location" }, + { + "mDataProp": function ( oObj ) { + return oObj.itemtype_description.escapeHtml(); + } + }, + { + "mDataProp": function ( oObj ) { + return oObj.location.escapeHtml(); + } + }, { "mDataProp": "issuedate_formatted" }, - { "mDataProp": "branchname" }, - { "mDataProp": "itemcallnumber" }, + { + "mDataProp": function ( oObj ) { + return oObj.branchname.escapeHtml(); + } + }, + { + "mDataProp": function ( oObj ) { + return oObj.itemcallnumber.escapeHtml(); + } + }, { "mDataProp": function ( oObj ) { if ( ! oObj.charge ) oObj.charge = 0; @@ -632,7 +668,10 @@ $(document).ready(function() { { "mDataProp": function( oObj ) { return "" - + oObj.borrower.firstname + " " + oObj.borrower.surname + " (" + oObj.borrower.cardnumber + ")" + + oObj.borrower.firstname.escapeHtml() + + " " + + oObj.borrower.surname.escapeHtml() + + " (" + oObj.borrower.cardnumber.escapeHtml() + ")" } }, ], -- 2.20.1