[Koha-devel] Escaping single quotes in template variables

Tue Jun 23 14:02:59 CEST 2015

Hie,

We had issues with single quotes in JS inside translation.
See http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8942

I think we should use double-quotes everywhere in JS where we use TT 
vars and escape double-quotes inside those vars.

Regards,

Le 23/06/2015 08:45, David Cook a écrit :
> Hi all:
>
>
>
> It looks like we're not validating the data that goes into "cardnumber".
> This causes problems in at least one spot (in members-toolbar.inc, which is
> loaded by circulation.pl).
>
>
>
> If the cardnumber contains an apostrophe, you'll get an Uncaught SyntaxError
> in the javascript function confirm_reregistration.
>
>
>
> Unfortunately, using the "uri" filter won't fix this problem:
>
> "As of version 2.26 of the Template Toolkit, the uri and url filters use the
> unsafe character set defined by RFC3986. This means that certain characters
> ("(", ")", "~", "*", "!" and the single quote "'") are now deemed unsafe and
> will be escaped as hex character sequences. The double quote character ('"')
> is now deemed safe and will not be escaped"
> (http://template-toolkit.org/docs/manual/Filters.html#section_uri).
>
>
>
> The required version in Koha is 2.22 and the version in Debian appears to be
> 2.24. I'm currently using 2.25.
>
>
>
> So I'm not really sure where to go from here but here are some ideas:
>
> 1) Upgrade Template Toolkit to 2.26 (possibly not so easy from a Debian
> perspective [Robin might want to chime in on that one], and who knows what
> else has been changed between 2.24 and 2.26? The readme on Github isn't
> super comprehensive https://github.com/abw/Template2)
> 2) Replace the single quote in the template with an encoded single quote
> (not very elegant and possibly a bit annoying to maintain)
>
> 3) URI encode the data in the .pm or .pl (I rather not handle display
> template logic in the actual Perl. Plus, cardnumber is passed opaquely to
> the template via "$template->param(%$borrower);" at the moment)
>
> 4) Limit the data allowed as a cardnumber (this is probably the hardest
> thing to do because a borrower can be created in a few different ways. which
> might make reporting data validation errors more or less difficult.)
>
> 5) We could write our own Template Toolkit Filter class that escapes the
> most comprehensively
>
>
>
> What does the Koha brain trust think?
>
>
>
> David Cook
>
> Systems Librarian
>
> Prosentient Systems
>
> 72/330 Wattle St, Ultimo, NSW 2007
>
>
>
>
>
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>

-- 
Fridolin SOMERS
Biblibre - Pôles support et système
fridolin.somers at biblibre.com