[Koha-patches] [PATCH] Using "escape=html" on TMPL_VAR containing SQL to prevent HTML from breaking when SQL includes double-quotes.
Joe Atzberger
joe.atzberger at liblime.com
Wed Feb 25 20:08:59 CET 2009
Won't this make a statement like:
... where field > 1
into:
... where field > 1
That would be sure to induce errors.
--Joe
On Wed, Feb 25, 2009 at 9:38 AM, Owen Leonard <oleonard at myacpl.org> wrote:
> ---
> .../en/modules/reports/guided_reports_start.tmpl | 8 ++++----
> 1 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git
> a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
> b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
> index a0450e3..bc45328 100644
> ---
> a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
> +++
> b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
> @@ -333,7 +333,7 @@ NAME="name" -->"><!-- TMPL_VAR
> NAME="name"--></label></td><td>
> </p>
>
> <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
> -<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
> +<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql"
> ESCAPE="html" -->" />
> <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
> <p>You will need to save the report before you can execute it</p>
> <fieldset class="action"><input type="hidden" name="phase" value="Save" />
> @@ -343,7 +343,7 @@ NAME="name" -->"><!-- TMPL_VAR
> NAME="name"--></label></td><td>
>
> <!-- TMPL_IF NAME="save" -->
> <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
> -<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
> +<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql"
> ESCAPE="html" -->" />
> <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
> <fieldset class="rows">
> <legend>Save Your Custom Report</legend>
> @@ -373,7 +373,7 @@ NAME="name" -->"><!-- TMPL_VAR
> NAME="name"--></label></td><td>
> <option value="csv">Comma Separated Text</option>
> <option value="tab">Tab Separated Text</option>
> </select>
> -<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
> +<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql"
> ESCAPE="html" -->" />
> <input type="hidden" name="phase" value="Export" />
> <input type="submit" name="submit" value="Download" /></fieldset>
> </form>
> @@ -472,7 +472,7 @@ Sub report:<select name="subreport">
> <!-- /TMPL_IF -->
> <!-- /TMPL_LOOP -->
> </div>
> -<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
> +<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql"
> ESCAPE="html" -->" />
> <input type="hidden" name="reportname" value="<!-- TMPL_VAR
> NAME="reportname" -->" />
> <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
> <input type="hidden" name="notes" value="<!-- TMPL_VAR NAME="notes" -->"
> />
> --
> 1.5.5.GIT
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/koha-patches/attachments/20090225/de34ac2e/attachment-0002.htm>
More information about the Koha-patches
mailing list