From 689171ab8e35da2ab7ef5e89c7e1dade3f38a753 Mon Sep 17 00:00:00 2001
From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Tue, 7 Nov 2017 14:33:16 -0500
Subject: [PATCH] LP#1671635: escape some values to avoid XSS

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/src/templates/opac/parts/place_hold.tt2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Open-ILS/src/templates/opac/parts/place_hold.tt2 b/Open-ILS/src/templates/opac/parts/place_hold.tt2
index fc59a0dd06..76d8d9e11d 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold.tt2
@@ -57,9 +57,9 @@ function toggleActivationDate() {
 
         <!-- Adding hidden fields so that parameters are maintained in
         searchbar throughout the place hold process. -->
-        <input type="hidden" name="locg" value="[% CGI.param('locg') %]" />
-        <input type="hidden" name="qtype" value="[% CGI.param('qtype') %]" />
-        <input type="hidden" name="query" value="[% CGI.param('query') %]" />
+        <input type="hidden" name="locg" value="[% CGI.param('locg') | html %]" />
+        <input type="hidden" name="qtype" value="[% CGI.param('qtype') | html %]" />
+        <input type="hidden" name="query" value="[% CGI.param('query') | html %]" />
         [%
             usr_barcode = CGI.param('usr_barcode') | html;
             is_requestor = CGI.param('is_requestor');
-- 
2.11.0