From f580af25e1518d0cac5ccd46a653a98e8b8d2282 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 9 Aug 2018 17:31:20 -0300 Subject: [PATCH] Bug 13618: Fix item search We want to encode HTML characters for the "key => value"'s like branchcode => branchname But not the whole JSON string We could have done it controller-side but it sounds better to do it as we do for other places Signed-off-by: Owen Leonard Signed-off-by: Martin Renvoize Signed-off-by: Nick Clemens --- .../catalogue/itemsearch_item.json.inc | 4 ++-- .../prog/en/modules/catalogue/itemsearch.tt | 23 ++++++++++++++----- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/catalogue/itemsearch_item.json.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/catalogue/itemsearch_item.json.inc index f3e1ac427f..f683757080 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/catalogue/itemsearch_item.json.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/catalogue/itemsearch_item.json.inc @@ -1,8 +1,8 @@ [%- USE Branches -%] [%- USE Koha -%] [% USE AuthorisedValues %] -[%- biblio = item.biblio | html -%] -[%- biblioitem = item.biblioitem | html -%] +[%- biblio = item.biblio -%] +[%- biblioitem = item.biblioitem -%] [ "[% FILTER escape_quotes = replace('"', '\"') ~%] [% biblio.title | html %][% IF ( Koha.Preference( 'marcflavour' ) == 'UNIMARC' && biblio.author ) %] by[% END %] [% biblio.author | html %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/itemsearch.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/itemsearch.tt index a39f6e41e7..6068b71d58 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/itemsearch.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/itemsearch.tt @@ -1,6 +1,6 @@ [% USE raw %] +[% USE To %] [% USE Asset %] -[% USE JSON.Escape %] [% BLOCK form_label %] [% SWITCH label %] @@ -98,6 +98,17 @@ [% END %] +[%# We need to escape html characters for 'value' and 'label' %] +[%- BLOCK escape_html_value_label -%] + [%- SET escaped = [] -%] + [%- FOR e IN elts -%] + [%- value = BLOCK %][% e.value | html %][% END -%] + [%- label = BLOCK %][% e.label | html %][% END -%] + [%- escaped.push({ 'value' => value, 'label' => label }) -%] + [%- END -%] + [%- To.json(escaped) -%] +[%- END -%] + [%# Page starts here %] [% SET footerjs = 1 %] @@ -375,22 +386,22 @@ { 'type': 'text' }, { 'type': 'text' }, [% IF ccodes.size %] - { 'type': 'select', 'values': [% ccodes.json | html %] }, + { 'type': 'select', 'values': [% INCLUDE escape_html_value_label elts => ccodes %] }, [% ELSE %] null, [% END %] { 'type': 'text' }, { 'type': 'text' }, - { 'type': 'select', 'values': [% branches.json | html %] }, - { 'type': 'select', 'values': [% branches.json | html %] }, + { 'type': 'select', 'values': [% INCLUDE escape_html_value_label elts => branches %] }, + { 'type': 'select', 'values': [% INCLUDE escape_html_value_label elts => branches %] }, [% IF locations.size %] - { 'type': 'select', 'values': [% locations.json | html %] }, + { 'type': 'select', 'values': [% INCLUDE escape_html_value_label elts => locations %] }, [% ELSE %] null, [% END %] { 'type': 'text' }, [% IF notforloans.size %] - { 'type': 'select', 'values': [% notforloans.json | html %] }, + { 'type': 'select', 'values': [% INCLUDE escape_html_value_label elts => notforloans %] }, [% ELSE %] null, [% END %] -- 2.39.5