From c96701625db933b4f2862ae1660644bb7d3ab9fa Mon Sep 17 00:00:00 2001
From: miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Mon, 12 Apr 2010 15:00:29 +0000
Subject: [PATCH] Patch from Galen Charlton:

This patch adds additional calls to escape_xml to handle cases where patron or library data could contain ampersand or other characters that need to be converted to entities.  Issue discovered by Bibliomation; patch includes contributions by Ben Ostrowsky.


git-svn-id: svn://svn.open-ils.org/ILS/trunk@16204 dcc99617-32d9-48b4-a31d-7c20da2025e4
---
 Open-ILS/examples/templates/overdue_combined_xml.example | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Open-ILS/examples/templates/overdue_combined_xml.example b/Open-ILS/examples/templates/overdue_combined_xml.example
index 3388137b6f..aaf861bded 100644
--- a/Open-ILS/examples/templates/overdue_combined_xml.example
+++ b/Open-ILS/examples/templates/overdue_combined_xml.example
@@ -15,26 +15,26 @@
         [%- IF !user_addr or user_addr.valid == 'f'; NEXT; END; %]
     <notice type='overdue' notify_interval='[% circ_set.notice.notify_interval %]'>
         <patron>
-            <barcode>[% user.card.barcode %]</barcode>
-            <first_given_name>[% user.first_given_name %]</first_given_name>
-            <family_name>[% user.family_name %]</family_name>
+            <barcode>[% escape_xml(user.card.barcode) %]</barcode>
+            <first_given_name>[% escape_xml(user.first_given_name) %]</first_given_name>
+            <family_name>[% escape_xml(user.family_name) %]</family_name>
             <addr_street1>[% escape_xml(user_addr.street1) %]</addr_street1>
             <addr_street2>[% escape_xml(user_addr.street2) %]</addr_street2>
             <addr_city>[% escape_xml(user_addr.city) %]</addr_city>
-            <addr_state>[% user_addr.state %]</addr_state>
-            <addr_post_code>[% user_addr.post_code %]</addr_post_code>
+            <addr_state>[% escape_xml(user_addr.state) %]</addr_state>
+            <addr_post_code>[% escape_xml(user_addr.post_code) %]</addr_post_code>
             <email>[% escape_xml(user.email) %]</email>
             <sys_id>[% user.id %]</sys_id>
         </patron>
         <location>
             <name>[% escape_xml(lib.name) %]</name>
             <shortname>[% escape_xml(lib.shortname) %]</shortname>
-            <phone>[% lib.phone %]</phone>
+            <phone>[% escape_xml(lib.phone) %]</phone>
             <addr_street1>[% escape_xml(lib_addr.street1) %]</addr_street1>
             <addr_street2>[% escape_xml(lib_addr.street2) %]</addr_street2>
             <addr_city>[% escape_xml(lib_addr.city) %]</addr_city>
-            <addr_state>[% lib_addr.state %]</addr_state>
-            <addr_post_code>[% lib_addr.post_code %]</addr_post_code>
+            <addr_state>[% escape_xml(lib_addr.state) %]</addr_state>
+            <addr_post_code>[% escape_xml(lib_addr.post_code) %]</addr_post_code>
             <email>[% escape_xml(lib.email) %]</email>
             <sys_id>[% lib.id %]</sys_id>
         </location>
-- 
2.11.0