LP#1822630: fix sanitizing CGI params on place_hold_result

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason@sigio.com>
(cherry picked from commit 019118895c94f5cc810b3f1fb95b2634a1c993b6)

diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 36e7a45..3320fdb 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -155,10 +155,10 @@ function disable_submit() {
        [% END %]
         <span>
         [% IF any_failures OR ctx.general_hold_error %]
-        <a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Cancel') %]</a>
+        <a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Cancel') %]</a>
         [% ELSE %]
         <div class='hold_success_links'>
-          <span><a href="[% CGI.param('redirect_to') || CGI.referer | html %]">[% l('Continue') %]</a></span>
+          <span><a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Continue') %]</a></span>
            [% IF ctx.is_staff %]
              [% IF CGI.param('hold_type') == 'C';
                   hold_type_label = l('copy');