LP#1671635: escape some values to avoid XSS

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>

diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index fc59a0d..76d8d9e 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -57,9 +57,9 @@ function toggleActivationDate() {
 
         <!-- Adding hidden fields so that parameters are maintained in
         searchbar throughout the place hold process. -->
-        <input type="hidden" name="locg" value="[% CGI.param('locg') %]" />
-        <input type="hidden" name="qtype" value="[% CGI.param('qtype') %]" />
-        <input type="hidden" name="query" value="[% CGI.param('query') %]" />
+        <input type="hidden" name="locg" value="[% CGI.param('locg') | html %]" />
+        <input type="hidden" name="qtype" value="[% CGI.param('qtype') | html %]" />
+        <input type="hidden" name="query" value="[% CGI.param('query') | html %]" />
         [%
             usr_barcode = CGI.param('usr_barcode') | html;
             is_requestor = CGI.param('is_requestor');