From 90a121ad8605e948be0a7a6ca6a4c5e456d41445 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Mon, 9 Nov 2020 13:59:59 -0800
Subject: [PATCH] LP#1902965: HTML filter on OPAC search results and record
 display, with accordion

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>

Conflicts:
	Open-ILS/src/templates/opac/parts/record/contents.tt2
	Open-ILS/src/templates/opac/parts/record/summary.tt2
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu>
---
 .../lib/OpenILS/WWW/EGCatLoader/Util.pm       | 11 ++++--
 .../src/templates/opac/parts/misc_util.tt2    |  6 ++-
 .../src/templates/opac/parts/record/body.tt2  |  4 +-
 .../templates/opac/parts/record/series.tt2    |  3 +-
 .../templates/opac/parts/record/summary.tt2   | 37 +++++++++++--------
 .../src/templates/opac/parts/result/table.tt2 | 16 ++++----
 6 files changed, 45 insertions(+), 32 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm
index fdb0da5aca..064c9b8b32 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Util.pm
@@ -6,6 +6,7 @@ use Time::HiRes qw/time sleep/;
 use List::MoreUtils qw(uniq);
 use HTML::TreeBuilder;
 use HTML::Element;
+use HTML::Defang;
 use OpenSRF::Utils::Cache;
 use OpenSRF::Utils::Logger qw/$logger/;
 use OpenILS::Utils::CStoreEditor qw/:funcs/;
@@ -13,6 +14,7 @@ use OpenILS::Utils::Fieldmapper;
 use OpenILS::Application::AppUtils;
 use OpenSRF::MultiSession;
 
+my $defang = HTML::Defang->new;
 my $U = 'OpenILS::Application::AppUtils';
 
 my $ro_object_subs; # cached subs
@@ -155,7 +157,8 @@ sub init_ro_object_cache {
             my $nref = ref $node;
             if ($nref eq "HTML::Element") {
                 $current_length += length $node->as_text();
-                push(@html_strings, $node->as_HTML());
+                my $escaped_html = $defang->defang($node->as_HTML());
+                push(@html_strings, $escaped_html);
             } else {
                 # Node is whitespace - handling this like regular simple text
                 # doesn't like to play nice, so handling separately
@@ -165,7 +168,7 @@ sub init_ro_object_cache {
                         push(@html_strings, " $trunc_str");
                         $truncated = 1;
                     } else {
-                        push(@html_strings, $node);
+                        push(@html_strings, $defang->defang($node));
                     }
                 # Node is simple text
                 } else {
@@ -182,10 +185,12 @@ sub init_ro_object_cache {
                             $nshort = substr $node, 0, $nloc;
                             $nrest = substr $node, $nloc;
                         }
+                        $nshort = $defang->defang($nshort);
+                        $nrest = $defang->defang($nrest);
                         push(@html_strings, "$nshort $trunc_str $nrest");
                         $truncated = 1;
                     } else {
-                        push(@html_strings, $node);
+                        push(@html_strings, $defang->defang($node));
                     }
                     $current_length += length $node;
                 }
diff --git a/Open-ILS/src/templates/opac/parts/misc_util.tt2 b/Open-ILS/src/templates/opac/parts/misc_util.tt2
index ee600a1b36..fd7c0104e5 100644
--- a/Open-ILS/src/templates/opac/parts/misc_util.tt2
+++ b/Open-ILS/src/templates/opac/parts/misc_util.tt2
@@ -879,7 +879,7 @@
 [% END -%]
 [% MACRO accordion(str, trunc_length, element) BLOCK;
     IF truncate_contents != 1;
-        str;
+        str | html;
     ELSE;
         UNLESS trunc_length;
             trunc_length = contents_truncate_length || 100;
@@ -890,7 +890,9 @@
             IF accordion_res.1;
                 str = str _ " <a onclick='toggleAccordion(this, " _ element _ ")'>" _ l('Read More') _ "</a>";
             END;
+            str;
+        ELSE;
+            str | html;
         END;
-        str;
     END;
 END; %]
diff --git a/Open-ILS/src/templates/opac/parts/record/body.tt2 b/Open-ILS/src/templates/opac/parts/record/body.tt2
index 2801670de8..11cb1ee9ee 100644
--- a/Open-ILS/src/templates/opac/parts/record/body.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/body.tt2
@@ -7,10 +7,10 @@
 %]
 <div id='canvas_main' class='canvas' vocab="http://schema.org/" typeof='[% args.schema.itemtype %] Product' resource="#schemarecord">
 [%- FOREACH link IN args.links.sameAs; %]
-    <link property="sameAs" href="[% link %]">
+    <link property="sameAs" href="[% link | html %]">
 [%- END; %]
 [%- FOREACH link IN args.links.exampleOfWork; %]
-    <link property="exampleOfWork" href="[% link %]">
+    <link property="exampleOfWork" href="[% link | html %]">
 [%- END; %]
     [%- INCLUDE "opac/parts/record/navigation.tt2" %]
     [%- IF ctx.bib_is_dead %]
diff --git a/Open-ILS/src/templates/opac/parts/record/series.tt2 b/Open-ILS/src/templates/opac/parts/record/series.tt2
index a5ad664c8b..473e7544de 100644
--- a/Open-ILS/src/templates/opac/parts/record/series.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/series.tt2
@@ -12,7 +12,8 @@ BLOCK render_series;
             url = mkurl(ctx.opac_root _ '/results',
                 { qtype=>'series', query=>search_term }, stop_parms.merge(expert_search_parms, general_search_parms, browse_search_parms, facet_search_parms)
             );
-            series = '<a href="' _ url _ '">' _ s.$hl_field _ '</a> ';
+            filtered_hl_field = s.$hl_field | html;
+            series = '<a href="' _ url _ '">' _ filtered_hl_field _ '</a> ';
             results.push(series);
         END;
     ELSE;
diff --git a/Open-ILS/src/templates/opac/parts/record/summary.tt2 b/Open-ILS/src/templates/opac/parts/record/summary.tt2
index d3aed58394..705411fff7 100644
--- a/Open-ILS/src/templates/opac/parts/record/summary.tt2
+++ b/Open-ILS/src/templates/opac/parts/record/summary.tt2
@@ -40,7 +40,7 @@
                 isbnissn=attrs.issns.0;
             END;
         %]
-        <a href='http://obalkyknih.cz/view?isbn=[% isbnissn %]'>
+        <a href='http://obalkyknih.cz/view?isbn=[% isbnissn | html %]'>
             <img
               alt="[% l('Image of item') %]" id='rdetail_image'
               src='[% ctx.media_prefix %]/opac/extras/ac/jacket/[% record.summary.jacket_size %]/r/[% ctx.bre_id | uri %]' />
@@ -76,7 +76,7 @@
                 <a href="[% mkurl(ctx.opac_root _ '/place_hold', 
                     {hold_target => ctx.bre_id, hold_type => 'T', hold_source_page => mkurl()}, stop_parms) %]" 
                 class="no-dec" rel="nofollow" vocab=""><img src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
-                    [% img_alt(l('Place Hold on [_1]', attrs.title)) %]/>
+                    [% img_alt(l('Place Hold on [_1]', attrs.title)) | html %]/>
                 <span class="place_hold">[% l('Place Hold') %]</span></a>
             </div>
             [%- END -%]
@@ -86,14 +86,14 @@
                 <a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_checkout',
                     {title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'checkout'}, stop_parms) %]"
                 class="no-dec" rel="nofollow" vocab=""><img src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
-                    [% img_alt(l('Check Out [_1]', attrs.title)) %]/>
+                    [% img_alt(l('Check Out [_1]', attrs.title)) | html %]/>
                 <span class="place_hold">[% l('Check Out E-Item') %]</span></a>
             </div>
             <div id="[%- ctx.bre_id -%]_ebook_place_hold" class="rdetail_aux_utils ebook_action hidden">
                 <a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_place_hold',
                     {title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'place_hold'}, stop_parms) %]"
                 class="no-dec" rel="nofollow" vocab=""><img src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
-                    [% img_alt(l('Place Hold on [_1]', attrs.title)) %]/>
+                    [% img_alt(l('Place Hold on [_1]', attrs.title)) | html %]/>
                 <span class="place_hold">[% l('Place Hold on E-Item') %]</span></a>
             </div>
             [%- END -%]
@@ -108,7 +108,7 @@
                     rel="nofollow" vocab=""
                     data-recid="[% ctx.bre_id %]" data-action="add"
                     class="no-dec mylist_action [% IF ctx.mylist.grep('^' _ ctx.bre_id _ '$').size %]hidden[% END %]"
-                    title="[% l("Add [_1] to basket", attrs.title) %]" rel="nofollow" vocab="">
+                    title="[% l("Add [_1] to basket", attrs.title) | html %]" rel="nofollow" vocab="">
                     <img src="[% ctx.media_prefix %]/images/add-to-cart.png[% ctx.cache_key %]" alt="" />
                     [% l("Add to basket") %]
                 </a>
@@ -116,7 +116,7 @@
                      rel="nofollow" vocab=""
                     data-recid="[% ctx.bre_id %]" data-action="delete"
                     class="mylist_action [% IF !ctx.mylist.grep('^' _ ctx.bre_id _ '$').size %]hidden[% END %]"
-                    title="[% l("Remove [_1] from basket", attrs.title) %]" rel="nofollow" vocab="">
+                    title="[% l("Remove [_1] from basket", attrs.title) | html %]" rel="nofollow" vocab="">
                     <img src="[% ctx.media_prefix %]/images/add-to-cart.png[% ctx.cache_key %]" alt="" />
                     [% l("Remove from basket") %]
                 </a>
@@ -214,20 +214,25 @@ IF num_uris > 0;
 <div class="rdetail_uris">
     [%- IF num_uris > 1 %]<ul>[% END %]
     [%- FOR uri IN merged_uris %]
+        [%-
+            filtered_href = uri.href | html;
+            filtered_link = uri.link ? uri.link : '' | html;
+            filtered_note = uri.note ? uri.note : '' | html;
+        -%]
         [%- IF num_uris == 1 -%]
             <p class="rdetail_uri" property="offers" vocab="http://schema.org/" typeof="Offer">
         [%- ELSE -%]
             <li class="rdetail_uri" property="offers" vocab="http://schema.org/" typeof="Offer">
         [%- END -%]
-        <a href="[% uri.href %]" class="uri_link" property="url" target="_blank" rel="noopener">
-        [%- IF uri.href != uri.link;
-                '<span property="description">' _ uri.link _ '</span>';
+        <a href="[% filtered_href %]" class="uri_link" property="url" target="_blank" rel="noopener">
+        [%- IF filtered_href != filtered_link;
+                '<span property="description">' _ filtered_link _ '</span>';
             ELSE;
-                uri.link;
+                filtered_link;
             END;
         -%]
         </a>
-        [%- ' - <span property="description">' _ uri.note _ '</span>' IF uri.note %]
+        [%- ' - <span property="description">' _ filtered_note _ '</span>' IF filtered_note %]
         <link property="availability" href="http://schema.org/OnlineOnly" />
         [%- IF attrs.gtin13; '<meta property="gtin13" content="' _ attrs.gtin13 _ '" />'; END; %]
         [%- IF num_uris == 1 %]</p>[% ELSE %]</li>[% END %]
@@ -330,7 +335,7 @@ END;
 <ul>
     [%- IF attrs.hl.isbn.size; FOR isbn IN attrs.hl.isbn %]
     <li class='rdetail_isbns'>
-        <strong class='rdetail_label'>[% l('ISBN:'); %]</strong> [% isbn %]
+        <strong class='rdetail_label'>[% l('ISBN:'); %]</strong> [% isbn | html %]
     </li>
     [%- END; ELSIF attrs.isbns.0;
           FOR isbn IN attrs.isbns;
@@ -348,7 +353,7 @@ END;
     [%- END %]
     [%- IF attrs.hl.issn.size; FOR issn IN attrs.hl.issn %]
     <li class='rdetail_issns'>
-        <strong class='rdetail_label'>[% l('ISSN:'); %]</strong> [% issn %]
+        <strong class='rdetail_label'>[% l('ISSN:'); %]</strong> [% issn | html %]
     </li>
     [%- END; ELSIF attrs.issns.0; FOR issn IN attrs.issns %]
     <li class='rdetail_issns'>
@@ -407,12 +412,12 @@ END;
         <span class='rdetail_value' property="publisher" typeof="Organization">
         [% pubstr = '' %]
         [%- IF attrs.pubplace; %]
-            <span property="location">[% attrs.pubplace %]</span>
+            <span property="location">[% attrs.pubplace | html %]</span>
         [%- END; %]
-            <span property="name">[% attrs.publisher %]</span>
+            <span property="name">[% attrs.publisher | html %]</span>
         </span>
         [%- IF attrs.pubdate; %]
-            <span property="datePublished">[% attrs.pubdate %]</span>
+            <span property="datePublished">[% attrs.pubdate | html %]</span>
         [%- END; %]
         [%-
         IF attrs.graphic_pubinfos.size > 0;
diff --git a/Open-ILS/src/templates/opac/parts/result/table.tt2 b/Open-ILS/src/templates/opac/parts/result/table.tt2
index 0597940f32..25e4559eda 100644
--- a/Open-ILS/src/templates/opac/parts/result/table.tt2
+++ b/Open-ILS/src/templates/opac/parts/result/table.tt2
@@ -132,7 +132,7 @@
                                                     [% END %]
                                                     <a class='record_title search_link' name='record_[% rec.id %]'
                                                         href="[% mkurl(record_url_path, add_parms, del_parms); %]"
-                                                        [% html_text_attr('title', l('Display record details for "[_1]"', attrs.title)) %]>
+                                                        [% html_text_attr('title', l('Display record details for "[_1]"', attrs.title)) | html%]>
                                                         [% IF attrs.hl.title; attrs.hl.title; ELSE; attrs.title | html; END %]
                                                      </a>
                                                      [% IF rec.mr_constituent_count.defined && rec.mr_constituent_count > 1 %]
@@ -352,7 +352,7 @@ END;
                                                                 <td valign='top'>
                                                                     <strong>[% l('Electronic resource') %]</strong>
                                                                 </td>
-                                                                <td><a href="[% uri.href %]" class="uri_link" target="_blank" rel="noopener">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
+                                                                <td><a href="[% uri.href | html %]" class="uri_link" target="_blank" rel="noopener">[% uri.link | html %]</a>[% ' - ' _ uri.note | html IF uri.note %]</td>
                                                             </tr>
                                                             [% END %]
                                                          [% END %]
@@ -463,7 +463,7 @@ END;
                                                         <div class="results_aux_utils place_hold"><a
                                                                 href="[% mkurl(ctx.opac_root _ '/place_hold',
                                                                     add_parms, del_parms) %]"
-                                                                [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) %]
+                                                                [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) | html %]
                                                                     class="no-dec" rel="nofollow" vocab=""><img
                                                                 src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
                                                                 alt=""/><span class="result_place_hold">[% l('Place Hold') %]</span></a>
@@ -475,7 +475,7 @@ END;
                                                             <a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_checkout',
                                                                 {title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'checkout'},
                                                                 ['query','tag','subfield','term','_special','sort','page']) %]"
-                                                                [% html_text_attr('title', l('Check Out [_1]', attrs.title)) %]
+                                                                [% html_text_attr('title', l('Check Out [_1]', attrs.title)) | html %]
                                                                     class="no-dec" rel="nofollow" vocab=""><img
                                                                 src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
                                                                 alt=""/><span class="result_place_hold">[% l('Check Out E-Item') %]</span></a>
@@ -484,7 +484,7 @@ END;
                                                             <a href="[% mkurl(ctx.opac_root _ '/myopac/ebook_place_hold',
                                                                 {title => args.ebook.ebook_id, vendor => args.ebook.vendor, action => 'place_hold'},
                                                                 ['query','tag','subfield','term','_special','sort','page']) %]"
-                                                                [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) %]
+                                                                [% html_text_attr('title', l('Place Hold on [_1]', attrs.title)) | html %]
                                                                     class="no-dec" rel="nofollow" vocab=""><img
                                                                 src="[% ctx.media_prefix %]/images/green_check.png[% ctx.cache_key %]"
                                                                 alt=""/><span class="result_place_hold">[% l('Place Hold on E-Item') %]</span></a>
@@ -503,14 +503,14 @@ END;
                                                             <a href="[% addhref %]" id="mylist_add_[% rec.id %]"
                                                                 data-recid="[% rec.id %]" data-action="add"
                                                                 class="mylist_action [% IF ctx.mylist.grep('^' _ rec.id _ '$').size %]hidden[% END %]"
-                                                                title="[% l("Add [_1] to basket", attrs.title) %]" rel="nofollow" vocab="">
+                                                                title="[% l("Add [_1] to basket", attrs.title) | html %]" rel="nofollow" vocab="">
                                                                 <img src="[% ctx.media_prefix %]/images/add-to-cart.png[% ctx.cache_key %]" alt="" />
                                                                 [% l("Add to basket") %]
                                                             </a>
                                                             <a href="[% delhref %]" id="mylist_delete_[% rec.id %]"
                                                                 data-recid="[% rec.id %]" data-action="delete"
                                                                 class="mylist_action [% IF !ctx.mylist.grep('^' _ rec.id _ '$').size %]hidden[% END %]"
-                                                                title="[% l("Remove [_1] from basket", attrs.title) %]" rel="nofollow" vocab="">
+                                                                title="[% l("Remove [_1] from basket", attrs.title) | html %]" rel="nofollow" vocab="">
                                                                 <img src="[% ctx.media_prefix %]/images/add-to-cart.png[% ctx.cache_key %]" alt="" />
                                                                 [% l("Remove from basket") %]
                                                             </a>
@@ -525,7 +525,7 @@ END;
                                                         [% ident = attrs.isbn_clean || attrs.upc %]
                                                         <div class="results_aux_utils result_util">
                                                             <a target='_blank' 
-                                                               [% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) %]
+                                                               [% html_text_attr('title', l('Reviews and More for [_1]', attrs.title)) | html %]
                                                                 href="[% ctx.ext_proto %]://contentcafe2.btol.com/ContentCafeClient/ContentCafe.aspx?UserID=[%- 
                                                                     ENV.OILS_CONTENT_CAFE_USER %]&amp;Password=[%-
                                                                     ENV.OILS_CONTENT_CAFE_PASS %]&amp;ItemKey=[% ident | uri %]&amp;Options=Y" rel="noopener nofollow" vocab="">
-- 
2.43.2