https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36385
--- Comment #1 from David Cook <dc...@prosentient.com.au> --- (In reply to Kyle M Hall from comment #0) > In staff-global.js, we have a function escape_str. This function only > encodes a tiny subset of html characters. We should use > https://github.com/mathiasbynens/he to encode the full set of html entities. In theory, escape_str might work as a "HtmlAttributeEncode" method if it were to include double quotes, single quotes, ampersands, and angle brackets. But I think we're trying to use it in context where a full HTML entity encode is needed. Overall, I think we should be writing better Javascript, but adding layers of protection is useful I think. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
