https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37655
--- Comment #1 from Phil Ringnalda <[email protected]> --- Created attachment 170414 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=170414&action=edit Bug 37655: Basic editor needs to HTML-escape the bib record title used as a heading We stick the title of a bib record you are editing in the basic editor into an <h1> without escaping any HTML it might contain. We should instead escape it. Test plan: 1. Without the patch, search for any record in the catalog and click Edit record (if you are in the advanced editor, switch to the basic one) 2. Tab 2, Field 245, Subfield a, paste <script>alert('boo ❤')</script><h2> at the end of the subfield 3. Save, then from the record detail page select Edit - Edit record 4. You will have gotten an alert(), and the entire form will be the size of an <h2>. That's ugly, so go back to the detail page. 5. Apply patch, restart_all 6. Edit - Edit record 7. Now you should not get an alert, the whole title inluding the <script> should display in italics, and the "(Record number nnn)" after it should not be italicized. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
