[Koha-bugs] [Bug 2847] New: Use HTML escape in templates where appropriate
bugzilla-daemon at pippin.metavore.com
bugzilla-daemon at pippin.metavore.com
Fri Dec 5 11:35:00 CET 2008
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=2847
Summary: Use HTML escape in templates where appropriate
Product: Koha
Version: HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P1
Component: Templates
AssignedTo: oleonard at myacpl.org
ReportedBy: rick at praxis.com.au
QAContact: koha-bugs at lists.koha.org
The values of input fields, the names and values in tags in general, and the
passing
of data via HTML all require HTML escaping, i.e. translating < to < and " to
".
Here is a concrete example of the HTML escape problem.
1. In the Modify Patron script members/memberentry.pl, the borrower attributes
can
be modified. And in the Admin area the attribute types (or codes) can be
defined.
2. Create an attribute whose code is this: REF "B"
3. The attribute can be created but it cannot be modified, because the HTML
for
the modification script says this: <input ... value="REF "B"">
The browser interprets the value as "REF ", not 'REF "B"'
4. Once that patron attribute code is in the system, all hell can break lose.
The
attributes for that patron can no longer be edited. The error message is
something
like the following in Koha/3.0:
The following fields are wrong. Please fix them.
* The attribute value REF /slarty is already is use by another patron
record.
The script should have been given REF "8" as the field name, but got "REF"
instead.
5. The fix is to add the escape parameter to the TMPL_VAR tag:
<input ... value="<!--TMPL_VAR Name="something" escape="html" -->" />
6. Other tags present the same problem:
<option> esp. the value= attribute of the tag
In general, look for the following construct and add the escape="html"
attribute to
the TMPL_VAR tag:
<whatever ... value="<!--TMPL_VAR Name="something"--> />
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Koha-bugs
mailing list