[Patches] [PATCH] [3.4.x] Bug 2847 Use HTML escape in templates where appropriate
koha-patchbot at kohaaloha.com
koha-patchbot at kohaaloha.com
Thu Nov 24 03:50:04 NZDT 2011
From: Owen Leonard <oleonard at myacpl.org>
Date: Wed, 23 Nov 2011 09:45:47 -0500
Subject: [PATCH] [3.4.x] Bug 2847 Use HTML escape in templates where appropriate
Content-Type: text/plain; charset="utf-8"
Fixes for output in a couple of acquisitions templates where
user-generated data should be escaped. This instances were found
by creating a vendor name like "Baker & Taylor" and finding
that the ampersand was not escaped, causing validation errors.
This patch also consolidates multiple <script> blocks which
do not need to be separate and corrects a couple of unclosed
<input> tags.
---
.../prog/en/includes/acquisitions-search.inc | 2 +-
.../intranet-tmpl/prog/en/modules/acqui/basket.tt | 20 +++++++-------------
2 files changed, 8 insertions(+), 14 deletions(-)
diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
index dd3d325..87b6cd3 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
@@ -11,7 +11,7 @@
<p class="tip">Search orders:</p>
<form action="/cgi-bin/koha/acqui/histsearch.pl" method="post">
- <label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name %]" />
+ <label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name|html %]" />
<input value="Submit" class="submit" type="submit" /> <a href="/cgi-bin/koha/acqui/histsearch.pl">Advanced Search</a>
</form>
</div>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
index 2654303..369be61 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@@ -1,5 +1,5 @@
[% INCLUDE 'doc-head-open.inc' %]
-<title>Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</title>
+<title>Koha › Acquisitions › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</title>
[% INCLUDE 'doc-head-close.inc' %]
[% UNLESS ( closedate ) %]
<script type="text/javascript" src="[% themelang %]/lib/jquery/plugins/jquery.tablesorter.min.js"></script>
@@ -13,20 +13,14 @@
}
});
});
-//]]>
-</script>
-<script type="text/javascript">
-//<![CDATA[
+
function confirm_close() {
var is_confirmed = confirm(_('Are you sure you want to close this basket?'));
if (is_confirmed) {
window.location = "[% script_name %]?op=close&basketno=[% basketno %]";
}
}
-//]]>
- </script>
-<script type="text/javascript">
-//<![CDATA[
+
function confirm_deletion() {
var is_confirmed = confirm(_('Are you sure you want to delete this basket?'));
if (is_confirmed) {
@@ -65,7 +59,7 @@
[% INCLUDE 'acquisitions-search.inc' %]
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> › <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> › <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name %]</a> › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> › <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> › <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a> › [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</div>
<div id="doc3" class="yui-t2">
@@ -141,7 +135,7 @@
<h3>Basket deleted</h3>
<META HTTP-EQUIV=Refresh CONTENT="0; url=booksellers.pl">
[% ELSE %]
- <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name %]</a></h1>
+ <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a></h1>
[% IF ( delete_confirm ) %]
<h2>
<span class="yui-button yui-link-button">
@@ -186,7 +180,7 @@
</p>
</form>
[% ELSE %]
- <a href="/cgi-bin/koha/acqui/basketgroup.pl?op=add&booksellerid=[% basketgroups %]&basketgroupid=[% id %]">[% name %]</a>
+ <a href="/cgi-bin/koha/acqui/basketgroup.pl?op=add&booksellerid=[% basketgroups %]&basketgroupid=[% id %]">[% name|html %]</a>
[% END %]
[% END %]
</div>
@@ -305,7 +299,7 @@
<div id="closebasket_needsconfirmation" class="dialog alert">
<form action="/cgi-bin/koha/acqui/basket.pl" class="confirm">
- <h1>Are you sure you want to close basket [% basketname %]?</h1>
+ <h1>Are you sure you want to close basket [% basketname|html %]?</h1>
<p>
<label for="createbasketgroup">Attach this basket to a new basket group with the same name</label>
<input type="checkbox" id="createbasketgroup" name="createbasketgroup"/>
--
1.7.3
More information about the Patches
mailing list