[Koha-patches] [PATCH] Using "escape=html" on TMPL_VAR containing SQL to prevent HTML from breaking when SQL includes double-quotes.

Wed, 25 Feb 2009 06:38:52 -0800 

---
 .../en/modules/reports/guided_reports_start.tmpl   |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git 
a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl 
b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
index a0450e3..bc45328 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
@@ -333,7 +333,7 @@ NAME="name" -->"><!-- TMPL_VAR 
NAME="name"--></label></td><td>
 </p>
 
 <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" 
-->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <p>You will need to save the report before you can execute it</p>
 <fieldset class="action"><input type="hidden" name="phase" value="Save" />  
@@ -343,7 +343,7 @@ NAME="name" -->"><!-- TMPL_VAR 
NAME="name"--></label></td><td>
 
 <!-- TMPL_IF NAME="save" -->
 <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" 
-->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <fieldset class="rows">
 <legend>Save Your Custom Report</legend>
@@ -373,7 +373,7 @@ NAME="name" -->"><!-- TMPL_VAR 
NAME="name"--></label></td><td>
 <option value="csv">Comma Separated Text</option>
 <option value="tab">Tab Separated Text</option>
 </select>
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" 
-->" />
 <input type="hidden" name="phase" value="Export" />
 <input type="submit" name="submit" value="Download" /></fieldset>
 </form>
@@ -472,7 +472,7 @@ Sub report:<select name="subreport">
 <!-- /TMPL_IF -->
 <!-- /TMPL_LOOP -->
 </div>
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" 
-->" />
 <input type="hidden" name="reportname" value="<!-- TMPL_VAR NAME="reportname" 
-->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <input type="hidden" name="notes" value="<!-- TMPL_VAR NAME="notes" -->" />
-- 
1.5.5.GIT

_______________________________________________
Koha-patches mailing list
[email protected]
http://lists.koha.org/mailman/listinfo/koha-patches

Reply via email to