LP#1671635: escape some values to avoid XSS

author Galen Charlton <gmc@equinoxinitiative.org>

Tue, 7 Nov 2017 19:33:16 +0000 (14:33 -0500)

committer Galen Charlton <gmc@equinoxinitiative.org>

Tue, 7 Nov 2017 19:34:37 +0000 (14:34 -0500)
author Galen Charlton <gmc@equinoxinitiative.org>
Tue, 7 Nov 2017 19:33:16 +0000 (14:33 -0500)
committer Galen Charlton <gmc@equinoxinitiative.org>
Tue, 7 Nov 2017 19:34:37 +0000 (14:34 -0500)
diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2

index 18eb427..5ebf1ef 100644 (file)
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -35,9 +35,9 @@
  
          <!-- Adding hidden fields so that parameters are maintained in
          searchbar throughout the place hold process. -->
-        <input type="hidden" name="locg" value="[% CGI.param('locg') %]" />
-        <input type="hidden" name="qtype" value="[% CGI.param('qtype') %]" />
-        <input type="hidden" name="query" value="[% CGI.param('query') %]" />
+        <input type="hidden" name="locg" value="[% CGI.param('locg') | html %]" />
+        <input type="hidden" name="qtype" value="[% CGI.param('qtype') | html %]" />
+        <input type="hidden" name="query" value="[% CGI.param('query') | html %]" />
          [%
              usr_barcode = CGI.param('usr_barcode') | html;
              is_requestor = CGI.param('is_requestor');
author	Galen Charlton <gmc@equinoxinitiative.org>
	Tue, 7 Nov 2017 19:33:16 +0000 (14:33 -0500)
committer	Galen Charlton <gmc@equinoxinitiative.org>
	Tue, 7 Nov 2017 19:34:37 +0000 (14:34 -0500)