[Koha-bugs] [Bug 33144] Authority lookup in advanced editor overencodes HTML
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 7 10:31:39 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33144
Jonathan Druart <jonathan.druart+koha at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #147776|0 |1
is obsolete| |
--- Comment #3 from Jonathan Druart <jonathan.druart+koha at gmail.com> ---
Created attachment 147817
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=147817&action=edit
Bug 33144: Unescape text from authority lookup for advanced editor
While the basic editor is happy with an array of subfields it can
stuff into separate fields, the advanced editor needs to get a JS
string back from the authority lookup plugin, because it is going
to just add the whole thing as text. The string has to be HTML
entity encoded, both to not allow XSS and just to not break the
window, but it needs to then be unencoded before being inserted
into the editor.
Test plan:
1. Set the system preference EnableAdvancedCatalogingEditor to
Enable
2. Edit any Topical Term authority, and at the end of tag 150
subfield a, add & </script>
3. Cataloging - Advanced editor
4. Press return in the editor to get a new blank line, type 650
and press tab three times, then type Ctrl-Shift-L
5. Search for your modified authority, and click Choose
6. Verify that the tiny popup opened by the search window finished
its job and closed itself
7. Verify that your 650 now shows as "‡aAbduction &
</script>‡vDrama" rather than "‡aAbduction &
</script>‡vDrama."
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list