[Bug 2847] New: Use HTML escape in templates where appropriate
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=2847 Summary: Use HTML escape in templates where appropriate Product: Koha Version: HEAD Platform: All OS/Version: All Status: NEW Severity: normal Priority: P1 Component: Templates AssignedTo: oleonard@myacpl.org ReportedBy: rick@praxis.com.au QAContact: koha-bugs@lists.koha.org The values of input fields, the names and values in tags in general, and the passing of data via HTML all require HTML escaping, i.e. translating < to < and " to ". Here is a concrete example of the HTML escape problem. 1. In the Modify Patron script members/memberentry.pl, the borrower attributes can be modified. And in the Admin area the attribute types (or codes) can be defined. 2. Create an attribute whose code is this: REF "B" 3. The attribute can be created but it cannot be modified, because the HTML for the modification script says this: <input ... value="REF "B""> The browser interprets the value as "REF ", not 'REF "B"' 4. Once that patron attribute code is in the system, all hell can break lose. The attributes for that patron can no longer be edited. The error message is something like the following in Koha/3.0: The following fields are wrong. Please fix them. * The attribute value REF /slarty is already is use by another patron record. The script should have been given REF "8" as the field name, but got "REF" instead. 5. The fix is to add the escape parameter to the TMPL_VAR tag: <input ... value="<!--TMPL_VAR Name="something" escape="html" -->" /> 6. Other tags present the same problem: <option> esp. the value= attribute of the tag In general, look for the following construct and add the escape="html" attribute to the TMPL_VAR tag: <whatever ... value="<!--TMPL_VAR Name="something"--> /> ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
participants (1)
-
bugzilla-daemon@pippin.metavore.com