Evergreen

Malformed XML can be passed to fancy_prompt.xul

Bug #1359914 reported by Jason Boyer on 2014-08-21

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	Won't Fix	Undecided	Unassigned

Bug Description

Eg: *
Osrf: *
Etc.: *

Since fancy_prompt.xul takes xml chunks as parameters it has to rely on callers to make sure that they pass valid xml; it can't simply wrap those parameters in <[CDATA[ blocks or call any escape functions against them. As an example: create a volume and include an ampersand in the label, then try to transfer it to another bib record. The result is an ugly XML error because copy_browser.js doesn't currently do anything special to acn entries.

Rather than play whack-a-mole with calls to fancy_prompt.xul, it looks like the best course of action right now is to make something like the xml_encode() function in server/serial/notes.xul available in the main util namespace (perhaps as util.xml, or another similarly general purpose namespace) and do an audit of all of the hits for a grep -r XUL_FANCY_PROMPT * under Open-ILS/xul/staff_client all at once (only 27 as of today).

I wanted to get this bug posted in case someone has time to look at it. I wouldn't mind working on it at the hackaway, but there are a couple projects ahead of it in line. :)

Jason Boyer (jboyer) on 2018-01-03

Changed in evergreen:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.