From 083ae794cc204141a11f3f58cba757adf2693c27 Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Tue, 11 Aug 2020 12:57:48 +0000
Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used:
 catalogue/results.tt

To test, perform a search in the catalogue and verify that search term
highlighting works correctly.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0de86fd323545796d57d2e289c10a33970050716)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
index 9a8131f841..a96d24a94e 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
@@ -742,7 +742,7 @@
         [%- END -%]
 
         var search_result = {
-            query_desc: "[% To.json( query_desc ) | $raw %]",
+            query_desc: "[% To.json( query_desc ) | html %]",
             query_cgi: "[% query_cgi | html %]",
             limit_cgi: "[% limit_cgi | html %]",
             sort_cgi: "[% sort_cgi | html %]",
-- 
2.39.5