[Patches] [PATCH] Incremental fix for Bug 2847, Use HTML escape in templates
koha-patchbot at kohaaloha.com
koha-patchbot at kohaaloha.com
Sat Nov 12 19:30:03 NZDT 2011
From: Owen Leonard <oleonard at myacpl.org>
Date: Fri, 11 Nov 2011 12:34:44 -0500
Subject: [PATCH] Incremental fix for Bug 2847, Use HTML escape in templates
where appropriate
Fixes for output in a couple of acquisitions templates where
user-generated data should be escaped. This instances were found
by creating a vendor name like "Baker & Taylor" and finding
that the ampersand was not escaped, causing validation errors.
This patch also consolidates multiple <script> blocks which
do not need to be separate and corrects a couple of unclosed
<input> tags.
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
---
.../prog/en/includes/acquisitions-search.inc | 6 +++---
.../intranet-tmpl/prog/en/modules/acqui/basket.tt | 17 +++++------------
2 files changed, 8 insertions(+), 15 deletions(-)
diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
index ddf6f8d..6c928ef 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
@@ -11,13 +11,13 @@
<p class="tip">Search orders:</p>
<form action="/cgi-bin/koha/acqui/histsearch.pl" method="post">
- <label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name %]" />
+ <label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name|html %]" />
<span class="filteraction" id="filteraction_off" style="display:none"> <a href="#" onclick="$('#filters').toggle();$('.filteraction').hide();">[-]</a></span>
<span class="filteraction" id="filteraction_on"> <a href="#" onclick="$('#filters').show();$('.filteraction').toggle();">[+]</a></span>
<input value="Submit" class="submit" type="submit" /> <a href="/cgi-bin/koha/acqui/histsearch.pl">Advanced Search</a>
<p id="filters" style="display:none">
- <label for="basket">Basket: </label><input type="text" name="basket" id="basket">
- <label for="booksellerinvoicenumber">Invoice No.: </label><input type="text" name="booksellerinvoicenumber" id="booksellerinvoicenumber">
+ <label for="basket">Basket: </label><input type="text" name="basket" id="basket" />
+ <label for="booksellerinvoicenumber">Invoice No.: </label><input type="text" name="booksellerinvoicenumber" id="booksellerinvoicenumber" />
</p>
</form>
</div>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
index 90ddacb..c0b62f2 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@@ -1,5 +1,5 @@
[% INCLUDE 'doc-head-open.inc' %]
-<title>Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</title>
+<title>Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</title>
[% INCLUDE 'doc-head-close.inc' %]
[% UNLESS ( closedate ) %]
<script type="text/javascript" src="[% themelang %]/lib/jquery/plugins/jquery.tablesorter.min.js"></script>
@@ -13,20 +13,13 @@
}
});
});
-//]]>
-</script>
-<script type="text/javascript">
-//<![CDATA[
function confirm_close() {
var is_confirmed = confirm(_('Are you sure you want to close this basket?'));
if (is_confirmed) {
window.location = "[% script_name %]?op=close&basketno=[% basketno %]";
}
}
-//]]>
- </script>
-<script type="text/javascript">
-//<![CDATA[
+
function confirm_deletion() {
var is_confirmed = confirm(_('Are you sure you want to delete this basket?'));
if (is_confirmed) {
@@ -72,7 +65,7 @@
[% INCLUDE 'acquisitions-search.inc' %]
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> › <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> › <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name %]</a> › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> › <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> › <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a> › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</div>
<div id="doc3" class="yui-t2">
@@ -148,7 +141,7 @@
<h3>Basket deleted</h3>
<META HTTP-EQUIV=Refresh CONTENT="0; url=booksellers.pl">
[% ELSE %]
- <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name %]</a></h1>
+ <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a></h1>
[% IF ( delete_confirm ) %]
<h2>
<span class="yui-button yui-link-button">
@@ -333,7 +326,7 @@
<div id="closebasket_needsconfirmation" class="dialog alert">
<form action="/cgi-bin/koha/acqui/basket.pl" class="confirm">
- <h1>Are you sure you want to close basket [% basketname %]?</h1>
+ <h1>Are you sure you want to close basket [% basketname|html %]?</h1>
<p>
<label for="createbasketgroup">Attach this basket to a new basket group with the same name</label>
<input type="checkbox" id="createbasketgroup" name="createbasketgroup"/>
--
1.7.5.4
More information about the Patches
mailing list