Skip to content

set_finder can output bad xml #21

New issue
New issue
Open
Open
set_finder can output bad xml#21
Milestone
1.2
@jesusbagpuss

Description

@jesusbagpuss
jesusbagpuss
opened on Aug 29, 2022

https://github.com/eprintsug/irstats2/blob/main/cgi/stats/set_finder#L86
The call to EPrints::Utils::url_escape doesn't encode &s - so if a set value has that character in it, it produces broken XML:

<li>
  <div class='irstats2_setfinder_row'>
    <a href='https://example.com/cgi/stats/report/institution/University%20of%20York%20&%20Aarhus%20University/'>University of York &amp; Aarhus University</a>
    <!--                                                                              ^^^ here         -->
  </div>
</li>

should be either &amp; or %26.
As the stats URL is a REST-like interface, the value is in a path (rather than query string).

I think the best fix would be to use URI::Escape and encode the value with uri_escape( $escape_value ).
That module is already used in other parts of EPrints. The escape_value may not be needed with this approach.

Other options (feel worse?) are:

  • HTML::Entities::encode( EPrints::Utils::url_escape( $escape_value ), '&') (feels messy)
  • HTML::Entities::encode( $escape_value ) (doesn't encode spaces)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions