<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
Yes, I am - 3.0alpha . And I may have been too optimistic with the changes I made. For example, here's my experiment with opac-results.tmpl . <br><br>1) I had a record entered with the somewhat silly title (245a) of "One Two <Three> Four", with a general note (500a) of "Here is a note". When I did a search for "note" in the OPAC, this record came up in the search results with the title displayed as "One Two Four" (i.e. <Three> was unescaped and treated as a tag, and not displayed as literal text).<br><br>2) Next, I went into opac-results.tmpl , found the appropriate <!-- TMPL_VAR NAME="title" --> line and changed it to <!-- TMPL_VAR NAME="title" ESCAPE="HTML" --> . When I reloaded the search results page, the title was correctly displayed as "One Two <Three> Four" as I had hoped. So far, so good.<br><br>3) But next, I did a search for "Two" - i.e. a word that appears in the title of the book. This time, the search results displayed the following: One <span class="term">Two</span> <Three> Four<br><br>With that, I discovered that HTML appears to sometimes be injected into tags like "title" (in order to highlight the word or whatever), and that simply escaping that variable wasn't going to work. <br><br>Ideally, the variable would be retrieved from the DB, HTML-escaped, then wrapped in whatever other HTML tags need to be included, and rendered.<br><br>Practically... I have no idea how to do that. I guess we're just going to have to do our best to work around it.<br><br><blockquote><hr>Date: Fri, 7 Mar 2008 08:20:57 +1300<br>From: chris@bigballofwax.co.nz<br>To: g_adams27@hotmail.com<br>Subject: Re: [Koha] HTML not being encoded for display?<br>CC: koha@lists.katipo.co.nz<br><br>Are you working with Koha 3 George?<br><br>Chris<br><br><div><span class="EC_gmail_quote">On 3/7/08, <b class="EC_gmail_sendername">George Adams</b> <<a href="mailto:g_adams27@hotmail.com">g_adams27@hotmail.com</a>> wrote:</span><blockquote class="EC_gmail_quote" style="padding-left: 1ex;">
<div>
Thanks for the tip about adding ESCAPE="HTML" to the template tags - that's a nice feature. I've been able to change additem.tmpl, opac-results.tmpl, opac-detail.tmpl and opac-MARCdetail.tmpl to make our entries display correctly. (That only scratches the surface, of course; I'm guessing that the Right Thing would be to change pretty much every single template that displays any user-generated content so that it's escaped. But I'm also guessing that's a big undertaking.)<br>
<br><br><blockquote><hr>Date: Thu, 6 Mar 2008 19:15:42 +1300<br>From: <a href="mailto:chris@bigballofwax.co.nz">chris@bigballofwax.co.nz</a><br>To: <a href="mailto:g_adams27@hotmail.com">g_adams27@hotmail.com</a><span class="q"><br>
Subject: Re: [Koha] HTML not being encoded for display?<br></span>CC: <a href="mailto:koha@lists.katipo.co.nz">koha@lists.katipo.co.nz</a><div><span class="EC_e" id="EC_q_1188552793720e1f_3"><br>
<br><br><br><div><span>On 3/6/08, <b>George Adams</b> <<a href="mailto:g_adams27@hotmail.com">g_adams27@hotmail.com</a>> wrote:</span><blockquote style="padding-left: 1ex;">
<div>
Joe, it's not just malicious activity I'm worried about (though that is a fundamental security concern). Unencoded <span>HTML</span> can break a page with frightening ease. Take this simple field:<br>
<br><input type="text" name="booktitle" value="$title"><br><br>Now if $title has the value: How to Say "I Love You" in 50 Languages, your <span>HTML</span> code will be rendered like this:<br>
<br><input type="text" name="booktitle" value="How to Say "I Love You" in 10 Languages><br><br>and is now hopelessly broken. The CGI param $booktitle will contain "How to Say ", and the rest of the book title (in addition to breaking the <span>HTML</span> tag) will be lost.</div>
</blockquote><div><br><br>Yep if you find any instances of this happening bug report it (this of course isn't what I would call unencoded HTML).<br></div><br><blockquote style="padding-left: 1ex;">
<div>I can hardly expect all the library staff to remember not to use double-quotes in any Koha text form (or any other unsafe characters like < , > or & ). Indeed, should they really be forced to give up such common characters just to workaround the problem?</div>
</blockquote><div><br>No, and in fact they don't <br><a href="http://203.97.214.51:8080/cgi-bin/koha/opac-detail.pl?biblionumber=2" target="_blank">http://203.97.214.51:8080/cgi-bin/koha/opac-detail.pl?biblionumber=2</a><br>
</div><br>
<blockquote style="padding-left: 1ex;"><div>I think I'll try mocking up something with <span>HTML</span>::Entities, at least in the most critical parts of the "Add Marc Item" form. Meanwhile, if no one objects, I'll put in a bug report for it too.</div>
</blockquote><div><br>If you put in bug report for specific areas where enescaped html is causing a problem, then we can simply edit the templates to add a ESCAPE="HTML" to the TMPL_VAR that needs it.<br>Please don't convert things to entities to store in the database. This data is used by more than just web browsers.<br>
<br>So by all means bug report away, but if you give url's of pages where unescaped characters are causing problems then it will be much more useful<br><br>Thanks<br><br>Chris<br></div><br></div><br>
</span></div></blockquote><span class="EC_ad"><br><hr>Shed those extra pounds with MSN and The Biggest Loser! <a href="http://biggestloser.msn.com/" target="_blank">Learn more.</a></span></div>
</blockquote></div><br>
</blockquote><br /><hr />Connect and share in new ways with Windows Live. <a href='http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008' target='_new'>Get it now!</a></body>
</html>