https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37573 Bug ID: 37573 Summary: Bad escaping in OPACSearchForTitleIn breaks JS in <script> tags Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: OPAC Assignee: oleonard@myacpl.org Reporter: schodkowy.omegi-0r@icloud.com QA Contact: testopia@bugs.koha-community.org Suppose as the value of OPACSearchForTitleIn preference, you provide something like: ``` [...] <a href="https://openlibrary.org/search?author=({AUTHOR})&title=({TITLE})" target="_blank">Open Library (openlibrary.org)</a> <script> function test() { console.log("test!"); } test(); </script> ``` you will actually end up with: ``` <script> function test() test(); </script> ``` It seems that whatever parses the template arguments within {...} does so without consideration about possible other use of these brackets. What should actually happen, is that what's inside of brackets should only be replaced if it's a valid param such as {AUTHOR} etc, otherwise the argument should probably be ignored (or at the very least keep current behavior only if it passes some regex like \{[A-Z_]+\}... It actually looks like the removal was explicit: https://github.com/Koha-Community/Koha/blob/8ff9e665e4d275ac601ee5165ab4233a... Meaning that to keep this behavior, it'd be best to adjust the regex to be more conservative. Either that, or just junk that line altogether... -- You are receiving this mail because: You are watching all bug changes.