[Koha-patches] [PATCH] [3.4.x] Bug 2847 Use HTML escape in templates where appropriate

Owen Leonard oleonard at myacpl.org
Wed Nov 23 15:46:52 CET 2011 

Fixes for output in a couple of acquisitions templates where
user-generated data should be escaped. This instances were found
by creating a vendor name like "Baker & Taylor" and finding
that the ampersand was not escaped, causing validation errors.

This patch also consolidates multiple <script> blocks which
do not need to be separate and corrects a couple of unclosed
<input> tags.
---
 .../prog/en/includes/acquisitions-search.inc       |    2 +-
 .../intranet-tmpl/prog/en/modules/acqui/basket.tt  |   20 +++++++-------------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
index dd3d325..87b6cd3 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-search.inc
@@ -11,7 +11,7 @@
 	<p class="tip">Search orders:</p>
 	
 		<form action="/cgi-bin/koha/acqui/histsearch.pl" method="post">
-		<label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name %]" />
+		<label for="title">Title: </label><input type="text" id="title" name="title" size="15" value="[% title %]" /> <label for="searchsupplier">Vendor:</label> <input type="text" id="searchsupplier" name="name" size="15" value="[% name|html %]" />
 	<input value="Submit" class="submit" type="submit" /> <a href="/cgi-bin/koha/acqui/histsearch.pl">Advanced Search</a>
 	</form>
 	</div>	
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
index 2654303..369be61 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@@ -1,5 +1,5 @@
 [% INCLUDE 'doc-head-open.inc' %]
-<title>Koha &rsaquo; Acquisitions &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</title>
+<title>Koha &rsaquo; Acquisitions &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</title>
 [% INCLUDE 'doc-head-close.inc' %]
 [% UNLESS ( closedate ) %]
 <script type="text/javascript" src="[% themelang %]/lib/jquery/plugins/jquery.tablesorter.min.js"></script>
@@ -13,20 +13,14 @@
             }
         });
     });
-//]]>
-</script>
-<script type="text/javascript">
-//<![CDATA[
+
             function confirm_close() {
                 var is_confirmed = confirm(_('Are you sure you want to close this basket?'));
                 if (is_confirmed) {
                     window.location = "[% script_name %]?op=close&basketno=[% basketno %]";
                 }
             }
-//]]>
-        </script>
-<script type="text/javascript">
-//<![CDATA[
+
             function confirm_deletion() {
                 var is_confirmed = confirm(_('Are you sure you want to delete this basket?'));
                 if (is_confirmed) {
@@ -65,7 +59,7 @@
 [% INCLUDE 'acquisitions-search.inc' %]
 
 
-<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name %]</a> &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for [% name %]</div>
+<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/acqui/acqui-home.pl">Acquisitions</a> &rsaquo; <a href="/cgi-bin/koha/acqui/supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a> &rsaquo; [% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for [% name|html %]</div>
 
 <div id="doc3" class="yui-t2">
 
@@ -141,7 +135,7 @@
             <h3>Basket deleted</h3>
             <META HTTP-EQUIV=Refresh CONTENT="0; url=booksellers.pl">
         [% ELSE %]
-        <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name %]</a></h1>
+        <h1>[% UNLESS ( basketno ) %]New [% END %][% IF ( delete_confirm ) %]Delete [% END %]Basket [% basketname|html %] ([% basketno %]) for <a href="supplier.pl?supplierid=[% booksellerid %]">[% name|html %]</a></h1>
         [% IF ( delete_confirm ) %]
             <h2>
             <span class="yui-button yui-link-button">
@@ -186,7 +180,7 @@
                     </p>
                 </form>
                 [% ELSE %]
-                    <a href="/cgi-bin/koha/acqui/basketgroup.pl?op=add&amp;booksellerid=[% basketgroups %]&amp;basketgroupid=[% id %]">[% name %]</a>
+                    <a href="/cgi-bin/koha/acqui/basketgroup.pl?op=add&amp;booksellerid=[% basketgroups %]&amp;basketgroupid=[% id %]">[% name|html %]</a>
                 [% END %]
                 [% END %]
             </div>
@@ -305,7 +299,7 @@
         <div id="closebasket_needsconfirmation" class="dialog alert">
 
         <form action="/cgi-bin/koha/acqui/basket.pl" class="confirm">
-            <h1>Are you sure you want to close basket [% basketname %]?</h1>
+            <h1>Are you sure you want to close basket [% basketname|html %]?</h1>
             <p>
             <label for="createbasketgroup">Attach this basket to a new basket group with the same name</label>
             <input type="checkbox" id="createbasketgroup" name="createbasketgroup"/>
-- 
1.7.3

More information about the Koha-patches mailing list