[Koha-bugs] [Bug 2847] New: Use HTML escape in templates where appropriate

bugzilla-daemon at pippin.metavore.com bugzilla-daemon at pippin.metavore.com
Fri Dec 5 11:35:00 CET 2008 

http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=2847

           Summary: Use HTML escape in templates where appropriate
           Product: Koha
           Version: HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Templates
        AssignedTo: oleonard at myacpl.org
        ReportedBy: rick at praxis.com.au
         QAContact: koha-bugs at lists.koha.org


The values of input fields, the names and values in tags in general, and the
passing
of data via HTML all require HTML escaping, i.e. translating < to &lt; and " to
&quot.


Here is a concrete example of the HTML escape problem.

 1. In the Modify Patron script members/memberentry.pl, the borrower attributes
can
    be modified. And in the Admin area the attribute types (or codes) can be
defined.

 2. Create an attribute whose code is this: REF "B"

 3. The attribute can be created but it cannot be modified, because the HTML
for
    the modification script says this: <input ... value="REF "B"">

    The browser interprets the value as "REF ", not 'REF "B"'

 4. Once that patron attribute code is in the system, all hell can break lose.
The
    attributes for that patron can no longer be edited. The error message is
something
    like the following in Koha/3.0:

        The following fields are wrong. Please fix them.
        * The attribute value REF /slarty is already is use by another patron
record.

    The script should have been given REF "8" as the field name, but got "REF"
instead.

 5. The fix is to add the escape parameter to the TMPL_VAR tag:

    <input ... value="<!--TMPL_VAR Name="something" escape="html" -->" />

 6. Other tags present the same problem:

    <option> esp. the value= attribute of the tag

    In general, look for the following construct and add the escape="html"
attribute to
    the TMPL_VAR tag:

        <whatever ... value="<!--TMPL_VAR Name="something"--> />




------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the Koha-bugs mailing list