From 23683f188e8ef461bdb0bc6cb20ae623c857d0e7 Mon Sep 17 00:00:00 2001
From: Jason Boyer <JBoyer@equinoxinitiative.org>
Date: Mon, 8 Feb 2021 14:20:32 -0500
Subject: [PATCH] LP1914116: Apply html filter to mkurl() output

Because of the way that mkurl() generates its query parameters they're
generally escaped correctly, but nowhere do we run the output of mkurl()
through the html filter to correctly handle ampersands. Rather than adding
"|html" to every invocation of mkurl, it's just added to the macro directly.

Signed-off-by: Jason Boyer <JBoyer@equinoxinitiative.org>
Signed-off-by: Garry Collum <gcollum@gmail.com>
---
 Open-ILS/src/templates/opac/parts/header.tt2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Open-ILS/src/templates/opac/parts/header.tt2 b/Open-ILS/src/templates/opac/parts/header.tt2
index 5f397c3b7c..5db8723302 100644
--- a/Open-ILS/src/templates/opac/parts/header.tt2
+++ b/Open-ILS/src/templates/opac/parts/header.tt2
@@ -102,13 +102,13 @@
 
         IF page;
             IF cgi.query_string;
-                page _ '?' _ cgi.query_string _ final;
+                page _ '?' _ cgi.query_string _ final | html;
             ELSE;
-                page _ final;
+                page _ final | html;
             END;
         ELSE;
             # staying on the current page
-            cgi.url("-absolute" => 1, "-path" => 1, "-query" => 1) _ final;
+            cgi.url("-absolute" => 1, "-path" => 1, "-query" => 1) _ final | html;
         END;
     END;
 
-- 
2.11.0