https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- (In reply to Kyle M Hall from comment #0)
In staff-global.js, we have a function escape_str. This function only encodes a tiny subset of html characters. We should use https://github.com/mathiasbynens/he to encode the full set of html entities.
In theory, escape_str might work as a "HtmlAttributeEncode" method if it were to include double quotes, single quotes, ampersands, and angle brackets. But I think we're trying to use it in context where a full HTML entity encode is needed. Overall, I think we should be writing better Javascript, but adding layers of protection is useful I think. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.