From d76afac85b394416c2f2153f25b72edbe04f35ce Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Mon, 10 Jun 2019 09:53:44 -0700
Subject: [PATCH] LP#1822630: fix sanitizing CGI params on place_hold_result

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/src/templates/opac/parts/place_hold_result.tt2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2 b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
index 2f434bdc60..2b5c4eeab1 100644
--- a/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
+++ b/Open-ILS/src/templates/opac/parts/place_hold_result.tt2
@@ -148,10 +148,10 @@ function disable_submit() {
         [% END %]
         <span>
         [% IF any_failures OR ctx.general_hold_error %]
-        <a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Cancel') %]</a>
+        <a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Cancel') %]</a>
         [% ELSE %]
         <div class='hold_success_links'>
-          <span><a href="[% CGI.param('redirect_to') | html || CGI.referer | html %]">[% l('Continue') %]</a></span>
+          <span><a href="[% (CGI.param('redirect_to') || CGI.referer) | html %]">[% l('Continue') %]</a></span>
            [% IF ctx.is_staff %]
              [% IF CGI.param('hold_type') == 'C';
                   hold_type_label = l('copy');
-- 
2.11.0