Bug 20891: Escape html then JSON

To my understanding we need to escape first html chars then to JSON.

If this patch works we will need to rethink the 'To' TT plugin.
It was originally designed to have several escape methods, but with
these changes it will not make sense to name it 'To' if used only to
escape JSON

IIRC we should keep the 2 different ways to use it:
 * [% To.json( string ) %]
 * [% string | $To %]
otherwise it will be hard to use it when called in argument of
patron-title.inc (`git grep To.json`)

Signed-off-by: Liz Rea <wizzyrea@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit bdf0d85c1de9cbb37cc8a40b0b4a2e86633d3aaf)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6bf436065ebf93cbda4e67c05a238b0e63c22d42)

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

diff --git a/Koha/Template/Plugin/To.pm b/Koha/Template/Plugin/To.pm
index f87a39c..b0a03c4 100644 (file)
--- a/Koha/Template/Plugin/To.pm
+++ b/Koha/Template/Plugin/To.pm
@@ -19,9 +19,11 @@ package Koha::Template::Plugin::To;
 
 use Modern::Perl;
 
-use base qw( Template::Plugin );
+use Template::Plugin::Filter;
+use base qw( Template::Plugin::Filter );
 
 use JSON qw( to_json );
+our $DYNAMIC = 1;
 
 sub json {
     my ( $self, $value ) = @_;
@@ -34,4 +36,9 @@ sub json {
     return $json;
 }
 
+sub filter {
+    my ( $self, $value ) = @_;
+    return $self->json($value);
+}
+
 1;

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
index 13317ee..1420c84 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
@@ -10,13 +10,13 @@
                 "dt_type":
                     "[% data.type %]",
                 "dt_shelfname":
-                    "<a href='/cgi-bin/koha/virtualshelves/shelves.pl?op=view&shelfnumber=[% data.shelfnumber | html %]'>[% To.json(data.shelfname) | html%]</a>",
+                    "<a href='/cgi-bin/koha/virtualshelves/shelves.pl?op=view&shelfnumber=[% data.shelfnumber | html %]'>[% data.shelfname | html | $To %]</a>",
                 "dt_count":
                     "[% data.count %] item(s)",
                 "dt_is_shared":
                     "[% IF data.type == 2 %]Public[% ELSIF data.is_shared %]Shared[% ELSE %]Private[% END %]",
                 "dt_owner":
-                    "<a href='/cgi-bin/koha/members/moremember.pl?borrowernumber=[% data.owner | html %]'>[% To.json(data.firstname) | html %] [% To.json(data.surname) | html %]</a>",
+                    "<a href='/cgi-bin/koha/members/moremember.pl?borrowernumber=[% data.owner | html %]'>[% data.firstname | html | $To %] [% data.surname | html | $To %]</a>",
                 "dt_sortby":
                     [% IF data.sortby == "author" %]"Author"[% ELSIF data.sortby == "copyrightdate" %]"Year"[% ELSIF data.sortby == "itemcallnumber" %]"Call number"[% ELSE %]"Title"[% END %],
                 "dt_created_on":