From: pines <pines@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Tue, 3 Oct 2006 23:46:16 +0000 (+0000)
Subject: escape text in xml
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=a2c6ac9aacbfd02ec1d52b352f3607888d864290;p=Evergreen.git

escape text in xml


git-svn-id: svn://svn.open-ils.org/ILS/trunk@6377 dcc99617-32d9-48b4-a31d-7c20da2025e4
---

diff --git a/Open-ILS/xul/staff_client/chrome/content/util/error.js b/Open-ILS/xul/staff_client/chrome/content/util/error.js
index 54c04db166..3507875348 100644
--- a/Open-ILS/xul/staff_client/chrome/content/util/error.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/error.js
@@ -321,7 +321,8 @@ util.error.prototype = {
 		this.sound.bad();
 
 
-		//FIXME - need to escape these values before embedding them into xml.. but window.escape was weird..
+		//FIMXE - is that good enough of an escape job?
+		s = s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
 
 		var xml = '<vbox xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" xmlns:html="http://www.w3.org/1999/xhtml" flex="1">' 
 			+ '<groupbox flex="1" style="overflow: auto; border: solid thin red;"><caption label="' + (title) + '"/>';
diff --git a/Open-ILS/xul/staff_client/chrome/content/util/network.js b/Open-ILS/xul/staff_client/chrome/content/util/network.js
index 348672981b..5617560b96 100644
--- a/Open-ILS/xul/staff_client/chrome/content/util/network.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/network.js
@@ -301,10 +301,14 @@ util.network.prototype = {
 						'<groupbox><caption label="Exceptions"/>' + 
 						'<grid><columns><column/><column/></columns><rows>';
 					for (var i = 0; i < r.length; i++) {
+						var t1 = String(r[i].ilsevent).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
+						var t2 = String(r[i].textcode).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
+						var t3 = String((o_params.text[r[i].ilsevent] ? o_params.text[r[i].ilsevent](r[i]) : '')).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
+						var t4 = String(r[i].desc).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
 						xml += '<row>' + 
-							'<description style="color: red" tooltiptext="' + r[i].ilsevent + '">' + r[i].textcode + '</description>' + 
-							'<description>' + (o_params.text[r[i].ilsevent] ? o_params.text[r[i].ilsevent](r[i]) : '') + '</description>' + 
-							'</row><row>' + '<description>' + r[i].desc + '</description>' + '</row>';
+							'<description style="color: red" tooltiptext="' + t1 + '">' + t2 + '</description>' + 
+							'<description>' + t3 + '</description>' + 
+							'</row><row>' + '<description>' + t4 + '</description>' + '</row>';
 					}
 					xml += '</rows></grid></groupbox><groupbox><caption label="Override"/><hbox>' + 
 						'<description>Force this action?</description>' + 
diff --git a/Open-ILS/xul/staff_client/server/cat/util.js b/Open-ILS/xul/staff_client/server/cat/util.js
index a6c2faf6b3..6230b619ef 100644
--- a/Open-ILS/xul/staff_client/server/cat/util.js
+++ b/Open-ILS/xul/staff_client/server/cat/util.js
@@ -65,7 +65,7 @@ cat.util.transfer_copies = function(params) {
 			params.message += '"' + params.volume_label + '" on the following record (and change their circ libs to match)?';
 		}
 
-		xml += '<description>' + params.message + '</description>';
+		xml += '<description>' + params.message.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;') + '</description>';
 		xml += '<hbox><button label="Transfer" name="fancy_submit"/>';
 		xml += '<button label="Cancel" accesskey="C" name="fancy_cancel"/></hbox>';
 		xml += '<iframe style="overflow: scroll" flex="1" src="' + urls.XUL_BIB_BRIEF + '?docid=' + params.docid + '"/>';