escape in controller

2025-10-23 18:03:17 +00:00 · 2019-04-05 15:57:49 +04:00
parent 7426eb453d
commit c89757c4d7
3 changed files with 24 additions and 15 deletions
--- a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
@@ -90,6 +90,15 @@ class RecordController extends Controller
        }
        $recordCaptions["technicalInfo"] = $record->getPositionFromTechnicalInfos();

+        //  escape record title before rendering
+        $recordTitle = explode("</span>", $record->get_title());
+        if (count($recordTitle) >1) {
+            $recordTitle[1] = htmlspecialchars($recordTitle[1]);
+            $recordTitle = implode("</span>", $recordTitle);
+        } else {
+            $recordTitle = htmlspecialchars($record->get_title());
+        }
+
        return $this->app->json([
            "desc"            => $this->render('prod/preview/caption.html.twig', [
                'record'        => $record,
@@ -117,7 +126,7 @@ class RecordController extends Controller
                'record'        => $record,
            ]),
            "pos"             => $record->getNumber(),
-            "title"         => $record->get_title(),
+            "title"           => $recordTitle,
            "databox_name"    => $record->getDatabox()->get_dbname(),
            "collection_name" => $record->getCollection()->get_name(),
            "collection_logo" => $record->getCollection()->getLogo($record->getBaseId(), $this->app),
--- a/lib/classes/record/adapter.php
+++ b/lib/classes/record/adapter.php
@@ -941,7 +941,7 @@ class record_adapter implements RecordInterface, cache_cacheableInterface
            $this->set_data_to_cache(self::CACHE_TITLE, $title);
        }

-        return htmlspecialchars($title);
+        return $title;
    }

    /**
--- a/lib/classes/record/preview.php
+++ b/lib/classes/record/preview.php
@@ -149,7 +149,7 @@ class record_preview extends record_adapter
                        $this->original_item = $element;
                        $sbas_id = $element->getSbasId();
                        $record_id = $element->getRecordId();
-                        $this->name = htmlspecialchars($Basket->getName());
+                        $this->name = $Basket->getName();
                        $number = $element->getOrd();
                        $first = false;
                    }
@@ -169,7 +169,7 @@ class record_preview extends record_adapter
                    if ($element->getOrd() == $pos || $first) {
                        $sbas_id = $element->getSbasId();
                        $record_id = $element->getRecordId();
-                        $this->name = htmlspecialchars($entry->getTitle());
+                        $this->name = $entry->getTitle();
                        $this->original_item = $element;
                        $number = $element->getOrd();
                        $first = false;