From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Tue, 7 Nov 2017 19:33:16 +0000 (-0500)
Subject: LP#1671635: escape some values to avoid XSS
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=854322f75b0203a57e6d00b9fb5fa8bc62fe0fa6;p=working%2FEvergreen.git

LP#1671635: escape some values to avoid XSS

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---

diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index 18eb427851..5ebf1ef186 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -35,9 +35,9 @@
 
         <!-- Adding hidden fields so that parameters are maintained in
         searchbar throughout the place hold process. -->
-        <input type="hidden" name="locg" value="[% CGI.param('locg') %]" />
-        <input type="hidden" name="qtype" value="[% CGI.param('qtype') %]" />
-        <input type="hidden" name="query" value="[% CGI.param('query') %]" />
+        <input type="hidden" name="locg" value="[% CGI.param('locg') | html %]" />
+        <input type="hidden" name="qtype" value="[% CGI.param('qtype') | html %]" />
+        <input type="hidden" name="query" value="[% CGI.param('query') | html %]" />
         [%
             usr_barcode = CGI.param('usr_barcode') | html;
             is_requestor = CGI.param('is_requestor');