Strip control characters when inserting notes and displaying reports

2013-01-14 16:00:25 -05:00 · 2013-01-14 16:00:25 -05:00 · 4ea05ce091
commit 4ea05ce091
parent 620b8abb2c
2 changed files with 12 additions and 2 deletions
--- a/chrome/content/zotero/xpcom/data/item.js
+++ b/chrome/content/zotero/xpcom/data/item.js
@ -2441,7 +2441,10 @@ Zotero.Item.prototype.setNote = function(text) {
 		throw ("text must be a string in Zotero.Item.setNote() (was " + typeof text + ")");
 	}
 	
-	text = Zotero.Utilities.trim(text);
+	text = text
+		// Strip control characters
+		.replace(/[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]/g, "")
+		.trim();
 	
 	var oldText = this.getNote();
 	if (text == oldText) {
--- a/chrome/content/zotero/xpcom/report.js
+++ b/chrome/content/zotero/xpcom/report.js
@ -79,7 +79,14 @@ Zotero.Report = new function() {
 					// If not valid XML, display notes with entities encoded
 					var parser = Components.classes["@mozilla.org/xmlextras/domparser;1"]
 							.createInstance(Components.interfaces.nsIDOMParser);
-					var doc = parser.parseFromString('<div>' + arr.note.replace(/&nbsp;/g, "&#160;") + '</div>', "application/xml");
+					var doc = parser.parseFromString('<div>'
+						+ arr.note
+							// &nbsp; isn't valid in HTML
+							.replace(/&nbsp;/g, "&#160;")
+							// Strip control characters (for notes that were
+							// added before item.setNote() started doing this)
+							.replace(/[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]/g, "")
+					+ '</div>', "application/xml");
 					if (doc.documentElement.tagName == 'parsererror') {
 						Zotero.debug(doc.documentElement.textContent, 2);
 						content += '<p class="plaintext">' + escapeXML(arr.note) + '</p>\n';