Are you working with Koha 3 George?<br><br>Chris<br><br><div><span class="gmail_quote">On 3/7/08, <b class="gmail_sendername">George Adams</b> <<a href="mailto:g_adams27@hotmail.com">g_adams27@hotmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
Thanks for the tip about adding ESCAPE="HTML" to the template tags - that's a nice feature. I've been able to change additem.tmpl, opac-results.tmpl, opac-detail.tmpl and opac-MARCdetail.tmpl to make our entries display correctly. (That only scratches the surface, of course; I'm guessing that the Right Thing would be to change pretty much every single template that displays any user-generated content so that it's escaped. But I'm also guessing that's a big undertaking.)<br>
<br><br><blockquote><hr>Date: Thu, 6 Mar 2008 19:15:42 +1300<br>From: <a href="mailto:chris@bigballofwax.co.nz" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">chris@bigballofwax.co.nz</a><br>To: <a href="mailto:g_adams27@hotmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">g_adams27@hotmail.com</a><span class="q"><br>
Subject: Re: [Koha] HTML not being encoded for display?<br></span>CC: <a href="mailto:koha@lists.katipo.co.nz" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">koha@lists.katipo.co.nz</a><div><span class="e" id="q_1188552793720e1f_3"><br>
<br><br><br><div><span>On 3/6/08, <b>George Adams</b> <<a href="mailto:g_adams27@hotmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">g_adams27@hotmail.com</a>> wrote:</span><blockquote style="padding-left: 1ex;">
<div>
Joe, it's not just malicious activity I'm worried about (though that is a fundamental security concern). Unencoded <span>HTML</span> can break a page with frightening ease. Take this simple field:<br>
<br><input type="text" name="booktitle" value="$title"><br><br>Now if $title has the value: How to Say "I Love You" in 50 Languages, your <span>HTML</span> code will be rendered like this:<br>
<br><input type="text" name="booktitle" value="How to Say "I Love You" in 10 Languages><br><br>and is now hopelessly broken. The CGI param $booktitle will contain "How to Say ", and the rest of the book title (in addition to breaking the <span>HTML</span> tag) will be lost.</div>
</blockquote><div><br><br>Yep if you find any instances of this happening bug report it (this of course isn't what I would call unencoded HTML).<br></div><br><blockquote style="padding-left: 1ex;">
<div>I can hardly expect all the library staff to remember not to use double-quotes in any Koha text form (or any other unsafe characters like < , > or & ). Indeed, should they really be forced to give up such common characters just to workaround the problem?</div>
</blockquote><div><br>No, and in fact they don't <br><a href="http://203.97.214.51:8080/cgi-bin/koha/opac-detail.pl?biblionumber=2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://203.97.214.51:8080/cgi-bin/koha/opac-detail.pl?biblionumber=2</a><br>
</div><br>
<blockquote style="padding-left: 1ex;"><div>I think I'll try mocking up something with <span>HTML</span>::Entities, at least in the most critical parts of the "Add Marc Item" form. Meanwhile, if no one objects, I'll put in a bug report for it too.</div>
</blockquote><div><br>If you put in bug report for specific areas where enescaped html is causing a problem, then we can simply edit the templates to add a ESCAPE="HTML" to the TMPL_VAR that needs it.<br>Please don't convert things to entities to store in the database. This data is used by more than just web browsers.<br>
<br>So by all means bug report away, but if you give url's of pages where unescaped characters are causing problems then it will be much more useful<br><br>Thanks<br><br>Chris<br></div><br></div><br>
</span></div></blockquote><span class="ad"><br><hr>Shed those extra pounds with MSN and The Biggest Loser! <a href="http://biggestloser.msn.com/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Learn more.</a></span></div>
</blockquote></div><br>