From: Galen Charlton <gmc@equinoxOLI.org>
Date: Mon, 14 Jun 2021 15:34:51 +0000 (-0400)
Subject: LP#1930933: fix issue with over-escaping in search results title attributes
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=fdd6ece0082069d59c7851af78ec5e91e42b46c0;p=evergreen%2Fjoelewis.git
LP#1930933: fix issue with over-escaping in search results title attributes
This patch fixes an issue where a record with a title containing the
word "hidden" can have its title, ironically enough, not show up
on public catalog search results.
To test
-------
[1] Create an OPAC-visible record whose 245 is something like:
=245 04$aThe hidden one <script>alert('title!')</script>
[2] Search for the record in both the TPAC and Bootstrap skin. Note
that the title isn't displayed.
[3] Apply the patch and repeat step 2. This time, the full title
should be displayed.
[4] Verify that the OPAC does not display an alert box.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
---
diff --git a/Open-ILS/src/templates-bootstrap/opac/parts/result/table.tt2 b/Open-ILS/src/templates-bootstrap/opac/parts/result/table.tt2
index e0af980386..48b0f12f70 100755
--- a/Open-ILS/src/templates-bootstrap/opac/parts/result/table.tt2
+++ b/Open-ILS/src/templates-bootstrap/opac/parts/result/table.tt2
@@ -104,7 +104,7 @@
[% END %]
<a class='record_title search_link' id='record_[% rec.id %]'
href="[% mkurl(record_url_path, add_parms, del_parms); %]"
- [% html_text_attr('title', l('Display record details for "[_1]"', attrs.title)) | html %]>
+ [% html_text_attr('title', l('Display record details for "[_1]"', attrs.title)) %]>
[% IF attrs.hl.title; attrs.hl.title; ELSE; attrs.title | html; END %]
</a>
<span class="mx-2">
@@ -379,7 +379,7 @@
<!--Place Hold Button -->
<a role="button" href="[% mkurl(ctx.opac_root _ '/place_hold', add_parms, del_parms) %]"
- [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) %]
class="btn btn-action" rel="nofollow" vocab="">
<i class="fas fa-check" aria-hidden="true"></i>
<span class="result_place_hold">[% l('Place Hold') %]</span>
@@ -393,14 +393,14 @@
<a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_checkout',
{title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'checkout'},
['query','tag','subfield','term','_special','sort','page']) %]"
- [% html_text_attr('title', l('Check Out [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Check Out [_1]', attrs.title)) %]
class="btn btn-action" role="button" rel="nofollow" vocab=""><i class="fas fa-atlas" aria-hidden="true"></i> <span class="result_place_hold">[% l('Check Out E-Item') %]</span></a>
<a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_place_hold',
{title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'place_hold'},
['query','tag','subfield','term','_special','sort','page']) %]"
- [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) %]
class="btn btn-action" role="button" rel="nofollow" vocab=""><i class="fas fa-book-reader" aria-hidden="true"></i> <span class="result_place_hold">[% l('Place Hold on E-Item') %]</span></a>
[%- END -%]
@@ -444,7 +444,7 @@
[% ident = attrs.isbn_clean || attrs.upc %]
<a target='_blank'
- [% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) %]
href="[% ctx.ext_proto %]://contentcafe2.btol.com/ContentCafeClient/ContentCafe.aspx?UserID=[%-
ENV.OILS_CONTENT_CAFE_USER %]&Password=[%-
ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="nofollow" vocab="">
diff --git a/Open-ILS/src/templates/opac/parts/result/table.tt2 b/Open-ILS/src/templates/opac/parts/result/table.tt2
index 25e4559eda..00577f5562 100644
--- a/Open-ILS/src/templates/opac/parts/result/table.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/table.tt2
@@ -132,7 +132,7 @@
[% END %]
<a class='record_title search_link' name='record_[% rec.id %]'
href="[% mkurl(record_url_path, add_parms, del_parms); %]"
- [% html_text_attr('title', l('Display record details for "[_1]"', attrs.title)) | html%]>
+ [% html_text_attr('title', l('Display record details for "[_1]"', attrs.title)) %]>
[% IF attrs.hl.title; attrs.hl.title; ELSE; attrs.title | html; END %]
</a>
[% IF rec.mr_constituent_count.defined && rec.mr_constituent_count > 1 %]
@@ -463,7 +463,7 @@ END;
<div class="results_aux_utils place_hold"><a
href="[% mkurl(ctx.opac_root _ '/place_hold',
add_parms, del_parms) %]"
- [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) %]
class="no-dec" rel="nofollow" vocab=""><img
src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
alt=""/><span class="result_place_hold">[% l('Place Hold') %]</span></a>
@@ -475,7 +475,7 @@ END;
<a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_checkout',
{title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'checkout'},
['query','tag','subfield','term','_special','sort','page']) %]"
- [% html_text_attr('title', l('Check Out [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Check Out [_1]', attrs.title)) %]
class="no-dec" rel="nofollow" vocab=""><img
src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
alt=""/><span class="result_place_hold">[% l('Check Out E-Item') %]</span></a>
@@ -484,7 +484,7 @@ END;
<a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_place_hold',
{title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'place_hold'},
['query','tag','subfield','term','_special','sort','page']) %]"
- [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) %]
class="no-dec" rel="nofollow" vocab=""><img
src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
alt=""/><span class="result_place_hold">[% l('Place Hold on E-Item') %]</span></a>
@@ -525,7 +525,7 @@ END;
[% ident = attrs.isbn_clean || attrs.upc %]
<div class="results_aux_utils result_util">
<a target='_blank'
- [% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) | html %]
+ [% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) %]
href="[% ctx.ext_proto %]://contentcafe2.btol.com/ContentCafeClient/ContentCafe.aspx?UserID=[%-
ENV.OILS_CONTENT_CAFE_USER %]&Password=[%-
ENV.OILS_CONTENT_CAFE_PASS %]&ItemKey=[% ident | uri %]&Options=Y" rel="noopener nofollow" vocab="">