From c618967c1bbf1c90b863597f0dd8b40a7df70411 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Tue, 13 Apr 2021 16:05:41 -0700
Subject: [PATCH] LP#1923225: fix handling of untruncated display fields in
 accordion

A previous commit used the TT2 "html" filter to escape strings to which the
accordion macro is applied, but which don't get truncated.  But that's
incompatible with display fields, which contain embedded HTML and
therefore shouldn't be escaped in that way.  This commit uses
HTML::Defang on untruncated accordion input instead (which is consistent
with how truncated strings are handled by the same macro).

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm | 6 ++++++
 Open-ILS/src/templates/opac/parts/misc_util.tt2           | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm
index 064c9b8b32..5e2e320d64 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm
@@ -134,6 +134,12 @@ sub init_ro_object_cache {
         return (grep {$_->shortname eq $sn} @$list)[0];
     };
 
+    # Defang an HTML string
+    $locale_subs->{defang_string} = sub {
+        my $html = shift;
+        return $defang->defang($html);
+    };
+
     # Turns one string into two for long text strings
     $locale_subs->{split_for_accordion} = sub {
         my $html = shift;
diff --git a/Open-ILS/src/templates/opac/parts/misc_util.tt2 b/Open-ILS/src/templates/opac/parts/misc_util.tt2
index fd7c0104e5..7dd4950748 100644
--- a/Open-ILS/src/templates/opac/parts/misc_util.tt2
+++ b/Open-ILS/src/templates/opac/parts/misc_util.tt2
@@ -879,7 +879,7 @@
 [% END -%]
 [% MACRO accordion(str, trunc_length, element) BLOCK;
     IF truncate_contents != 1;
-        str | html;
+        ctx.defang_string(str);
     ELSE;
         UNLESS trunc_length;
             trunc_length = contents_truncate_length || 100;
@@ -892,7 +892,7 @@
             END;
             str;
         ELSE;
-            str | html;
+            ctx.defang_string(str);
         END;
     END;
 END; %]
-- 
2.11.0