From e40e4e529427a4e3bb3be4e75ed11b460d6f4a42 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 20 Apr 2023 10:19:02 +0200 Subject: [PATCH] Bug 33568: Escape all the things MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Owen Leonard Signed-off-by: Laurence Rault Signed-off-by: Emily Lamancusa Signed-off-by: Tomás Cohen Arazi Signed-off-by: Katrin Fischer --- .../prog/en/modules/catalogue/detail.tt | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt index bff8e66ac2..22375e5612 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt @@ -2253,10 +2253,10 @@ let image_location = item_type_image_locations[row.item_type_id]; let item_type_description = row._strings.item_type_id.str; node += image_location - ? '%s '.format(image_location, item_type_description, item_type_description) + ? '%s '.format(escape_str(image_location), escape_str(item_type_description), escape_str(item_type_description)) : ''; [% END %] - node += '%s'.format(item_type_description); + node += '%s'.format(escape_str(item_type_description)); return node; } }, @@ -2267,7 +2267,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row._strings.holding_library_id.str; + return escape_str(row._strings.holding_library_id.str); } }, { @@ -2276,7 +2276,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - let nodes = '%s'.format(row._strings.home_library_id.str); + let nodes = '%s'.format(escape_str(row._strings.home_library_id.str)); nodes += '' [%# If permanent location is defined, show description or code and %] [%# display current location in parentheses. If not, display current location. %] @@ -2284,9 +2284,9 @@ let loc_str = row._strings.location.str; if ( row.permanent_location && row.permanent_location != row.location ) { let permanent_loc_str = av_loc[row.permanent_location]; - nodes += '%s (%s)'.format(permanent_loc_str, loc_str); + nodes += '%s (%s)'.format(escape_str(permanent_loc_str), escape_str(loc_str)); } else { - nodes += loc_str; + nodes += escape_str(loc_str); } nodes += ''; return nodes; @@ -2297,7 +2297,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row._strings.collection_code.str; + return escape_str(row._strings.collection_code.str); } }, [% IF Koha.Preference('EnableItemGroups') %] @@ -2308,7 +2308,7 @@ orderable: true, render: function (data, type, row, meta) { if ( row.item_group_item ) { - return row.item_group_item.item_group.description; + return escape_str(row.item_group_item.item_group.description); } else { return ""; } @@ -2321,7 +2321,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row.callnumber; + return escape_str(row.callnumber); } }, @@ -2335,15 +2335,15 @@ [%# FIXME Previously we displayed the column if at least one item of the biblio had an enumchron/serial_issue_number. Now it's only if one item of the ones displayed on the current page, how is that bad? How can it be fixed in an elegant way? Should we display the column only if biblio.serial? %] let serial = row.serialitem ? row.serialitem.serial : null; if ( row.serial_issue_number && serial && serial.serialseq ) { - nodes += '%s'.format(row.serial_issue_number); + nodes += '%s'.format(escape_str(row.serial_issue_number)); if ( serial.serialseq && row.serial_issue_number != serial.serialseq ) { nodes += ' -- ' - nodes += ' %s'.format(serial.serialseq); + nodes += ' %s'.format(escape_str(serial.serialseq)); } } else if ( row.serial_issue_number ) { - nodes += ' %s'.format(row.serial_issue_number); + nodes += ' %s'.format(escape_str(row.serial_issue_number)); } else if ( serial && serial.serialseq ) { - nodes += '%s'.format(serial.serialseq); + nodes += '%s'.format(escape_str(serial.serialseq)); } if ( serial && serial.publisheddate ) { nodes += ' (%s)'.format($date(serial.publisheddate)); @@ -2373,30 +2373,30 @@ nodes += "" } else if ( row.transfer ) { if ( row.transfer.datesent ) { - nodes += '%s'.format(_("In transit from %s to %s since %s").format(row.transfer.frombranch, row.transfer.tobranch, $date(row.transfer.datesent))); [%# FIXME display library names, not codes, do we use _strings here? %] + nodes += '%s'.format(_("In transit from %s to %s since %s").format(escape_str(row.transfer.frombranch), escape_str(row.transfer.tobranch), $date(row.transfer.datesent))); [%# FIXME display library names, not codes, do we use _strings here? %] } else { - nodes += '%s'.format(_("Transit pending from %s to %s since %s").format(row.transfer.frombranch, row.transfer.tobranch, $date(row.transfer.daterequested))); [%# FIXME See above %] + nodes += '%s'.format(_("Transit pending from %s to %s since %s").format(escape_str(row.transfer.frombranch), escape_str(row.transfer.tobranch), $date(row.transfer.daterequested))); [%# FIXME See above %] } } if ( row.lost_status ) { let lost_lib = av_lost.get(row.lost_status.toString()) || _("Unavailable (lost or missing"); - nodes += '%s'.format(lost_lib); + nodes += '%s'.format(escape_str(lost_lib)); } if ( row.withdrawn ) { let withdrawn_lib = av_withdrawn.get(row.withdrawn.toString()) || _("Withdrawn"); - nodes += '%s'.format(withdrawn_lib); + nodes += '%s'.format(escape_str(withdrawn_lib)); } if ( row.damaged ) { let damaged_lib = av_damaged.get(row.damaged.toString()) || _("Damaged"); - nodes += '%s'.format(damaged_lib); + nodes += '%s'.format(escape_str(damaged_lib)); } if ( row.not_for_loan_status || row.item_type.notforloan ) { let not_for_loan_lib = av_not_for_loan.get(row.not_for_loan_status.toString()); - nodes += '%s'.format(_("Not for loan")) + ( not_for_loan_lib ? ' (%s)'.format(not_for_loan_lib) : '' ) + ''; + nodes += '%s'.format(_("Not for loan")) + ( not_for_loan_lib ? ' (%s)'.format(escape_str(not_for_loan_lib)) : '' ) + ''; } if ( row.first_hold ) { @@ -2418,10 +2418,10 @@ [% IF Koha.Preference('UseRecalls') %] if ( row.recall ) { if ( row.recall.waiting_date ) { - nodes += '%s'.format(_("Waiting at %s since %s").format(row.recall.pickup_library_id, $date(row.recall.waiting_date))); # FIXME Display library names instead of codes + nodes += '%s'.format(_("Waiting at %s since %s").format(escape_str(row.recall.pickup_library_id), $date(row.recall.waiting_date))); # FIXME Display library names instead of codes } else { let patron_to_html = $patron_to_html(row.recall.patron); - nodes += '%s'.format(_("recalled by %s on %s").format(patron_to_html, row.recall.created_date)) + nodes += '%s'.format(_("recalled by %s on %s").format(patron_to_html, $date(row.recall.created_date))) } } [% END %] @@ -2431,7 +2431,7 @@ } if ( row.restricted_status ) { - nodes += '(%s)'.format(av_restricted.get(row.restricted_status.toString())); + nodes += '(%s)'.format(escape_str(av_restricted.get(row.restricted_status.toString()))); } if ( row.in_bundle ) { @@ -2505,10 +2505,10 @@ let nodes = ''; if ( row.uri.split(' \| ').length > 1 ) { row.uri.split(' \| ').forEach((uri, i) => { - nodes += '%s
'.format(uri, uri); + nodes += '%s
'.format(escape_str(uri), escape_str(uri)); }); } else { - nodes += '%s
'.format(row.uri, url_link_text); + nodes += '%s
'.format(escape_str(row.uri), escape_str(url_link_text)); } return nodes; } @@ -2519,7 +2519,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row._strings.copy_number ? row._strings.copy_number.str : row.copy_number; + return escape_str(row._strings.copy_number ? row._strings.copy_number.str : row.copy_number); } }, { @@ -2528,7 +2528,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row.inventory_number; + return escape_str(row.inventory_number); } }, { @@ -2537,7 +2537,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row.materials_notes; + return escape_str(row.materials_notes); } }, { @@ -2546,7 +2546,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row.public_notes ? row.public_notes.replaceAll('\n', '
') : ''; + return row.public_notes ? escape_str(row.public_notes).replaceAll('\n', '
') : ''; } }, { @@ -2555,7 +2555,7 @@ searchable: true, orderable: true, render: function (data, type, row, meta) { - return row.internal_notes; + return escape_str(row.internal_notes); } }, [% IF ( hostrecords ) %] @@ -2592,9 +2592,9 @@ if ( c.enabled != 'yes' ) return; nodes += '

'; nodes += ''.format(c.course_id); - nodes += c.course_name; + nodes += escape_str(c.course_name); if ( c.section ) { - nodes += ' ' + c.section; + nodes += ' ' + escape_str(c.section); } if ( c.term ) { nodes += ' ' + av_courses_term.get(c.term.toString()); @@ -2611,7 +2611,7 @@ searchable: false, orderable: false, render: function (data, type, row, meta) { - return ' Print label'.format(row.external_id); + return ' Print label'.format(escape_str(row.external_id)); } }, [% END %] @@ -2633,7 +2633,7 @@ } [% IF bundlesEnabled %] // FIXME How do we handle that correctly? - //nodes += ''.format(row.bundled, row.bundled_lost); + //nodes += ''.format(escape_str(row.bundled), escape_str(row.bundled_lost)); [% END %] return nodes; -- 2.39.5