https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37654 Bug ID: 37654 Summary: Batch record import needs to HTML-escape the Citation column Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: major Priority: P3 Component: Tools Assignee: koha-bugs@lists.koha-community.org Reporter: phil@chetcolibrary.org QA Contact: testopia@bugs.koha-community.org Created attachment 170412 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170412&action=edit Sample record for HTML escaping After you stage a batch of records for import, they are displayed with a Citation column which contains the title and author. Those need to be HTML-escaped, both so that things like < will display correctly and so that your compromised vendor won't deliver a batch of XSS to you. Steps to reproduce: 1. Download the attached "Sample record for HTML escaping" 2. Cataloging - Stage records for import - Select the downloaded file - Upload file - Stage for import 3. When the background job completes, View batch - get an alert() from the bib title, note that the author name "Person" is a link. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.