From 871cbc482a04be9b822311dbf5298aa6a42cf9b6 Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Wed, 17 Jun 2015 13:27:05 -0400 Subject: [PATCH] LP#1446816 HTML-escape notes in XUL patron alert page Avoid rendering HTML contained in patron messages, etc. in the XUL patron stop-sign page. Thanks to Jason Etheridge, ESI for noting this problem and contributing the original patch fix. Signed-off-by: Bill Erickson Signed-off-by: Ben Shum --- Open-ILS/xul/staff_client/server/patron/display.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Open-ILS/xul/staff_client/server/patron/display.js b/Open-ILS/xul/staff_client/server/patron/display.js index 87b50e2ec6..ba8a5b4317 100644 --- a/Open-ILS/xul/staff_client/server/patron/display.js +++ b/Open-ILS/xul/staff_client/server/patron/display.js @@ -960,7 +960,7 @@ patron.display.prototype = { obj._already_defaulted_once = true; var msg = ''; obj.stop_checkouts = false; if (patron.alert_message()) - msg += $("patronStrings").getFormattedString('staff.patron.display.init.network_request.alert_message', [patron.alert_message()]) + '

'; + msg += $("patronStrings").getFormattedString('staff.patron.display.init.network_request.alert_message', [(patron.alert_message()).replace(//g,'>')]) + '

'; //alert('obj.barcode = ' + obj.barcode); if (obj.barcode) { if (patron.cards()) for (var i = 0; i < patron.cards().length; i++) { @@ -1020,9 +1020,9 @@ patron.display.prototype = { dl_flag_opened = true; } msg += '
'; - msg += obj.OpenILS.data.hash.aou[ penalties[i].org_unit() ].shortname() + ' : ' + penalties[i].standing_penalty().label() + '
'; + msg += (obj.OpenILS.data.hash.aou[ penalties[i].org_unit() ].shortname() + ' : ' + penalties[i].standing_penalty().label()).replace(//g,'>') + '
'; msg += '
'; - msg += (penalties[i].note())?penalties[i].note():''; + msg += ((penalties[i].note())?penalties[i].note():'').replace(//g,'>'); msg += '
'; } } -- 2.11.0