From 307d369a361e34a304d1de25f0d8cde5c05d5d98 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 9 Aug 2017 14:08:24 -0300
Subject: [PATCH] Bug 18726: Fix XSS at the OPAC - biblionumber

The biblionumber parameter is sent by the user, we must escape all of
them to avoid XSS.

Fixes: Cross-site scripting OPAC pages

Signed-off-by: Amit Gupta <amit.gupta@informaticsglobal.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
---
 .../bootstrap/en/includes/opac-bottom.inc     |  6 +--
 .../en/includes/opac-detail-sidebar.inc       | 22 ++++++++---
 .../bootstrap/en/modules/opac-ISBDdetail.tt   |  2 +-
 .../bootstrap/en/modules/opac-MARCdetail.tt   | 12 +++---
 .../en/modules/opac-alert-subscribe.tt        | 10 ++---
 .../bootstrap/en/modules/opac-detail.tt       | 37 +++++++++++--------
 .../en/modules/opac-full-serial-issues.tt     |  6 +--
 .../en/modules/opac-serial-issues.tt          |  2 +-
 8 files changed, 56 insertions(+), 41 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc
index 1a1337087c..b02f61cf6a 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-bottom.inc
@@ -155,15 +155,15 @@ $.widget.bridge('uitooltip', $.ui.tooltip);
         return false;
     });
     $("#ulactioncontainer > ul > li > a.addtoshelf").on("click",function(){
-        Dopop('opac-addbybiblionumber.pl?biblionumber=[% biblionumber %]');
+        Dopop('opac-addbybiblionumber.pl?biblionumber=[% biblionumber | html %]');
         return false;
     });
     $(".addrecord").on("click",function(){
-        addRecord('[% biblionumber %]');
+        addRecord('[% biblionumber | html %]');
         return false;
     });
     $(".cartRemove").on("click",function(){
-        delSingleRecord('[% biblionumber %]');
+        delSingleRecord('[% biblionumber | html %]');
         return false;
     });
     //]]>
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc
index 3c14bea690..3e0119a21b 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/opac-detail-sidebar.inc
@@ -3,22 +3,32 @@
         [% IF Koha.Preference( 'opacuserlogin' ) == 1 %]
             [% IF Koha.Preference( 'RequestOnOpac' ) == 1 %]
                 [% IF ( AllowOnShelfHolds OR ItemsIssued ) %]
-                    <li><a class="reserve" href="/cgi-bin/koha/opac-reserve.pl?biblionumber=[% biblionumber %]">Place hold</a></li>
+                    <li><a class="reserve" href="/cgi-bin/koha/opac-reserve.pl?biblionumber=[% biblionumber | html %]">Place hold</a></li>
                 [% END %]
             [% END %]
         [% END %]
     [% END %]
     <li><a class="print-large" href="#">Print</a></li>
+<<<<<<< HEAD
+=======
+
+    [% IF Koha.Preference( 'opacuserlogin' ) == 1 %]
+        [% IF Koha.Preference('ArticleRequests') %]
+            <li><a class="article_request" href="/cgi-bin/koha/opac-request-article.pl?biblionumber=[% biblionumber | html %]">Request article</a></li>
+        [% END %]
+    [% END %]
+
+>>>>>>> Bug 18726: Fix XSS at the OPAC - biblionumber
     [% IF Koha.Preference( 'virtualshelves' ) == 1 %]
         [% IF ( ( Koha.Preference( 'opacuserlogin' ) == 1 ) && loggedinusername ) %]
-            <li><a class="addtoshelf" href="/cgi-bin/koha/opac-addbybiblionumber.pl?biblionumber=[% biblionumber %]">Save to your lists</a></li>
+            <li><a class="addtoshelf" href="/cgi-bin/koha/opac-addbybiblionumber.pl?biblionumber=[% biblionumber | html %]">Save to your lists</a></li>
         [% END %]
     [% END %]
     [% IF Koha.Preference( 'opacbookbag' ) == 1 %]
         [% IF ( incart ) %]
-            <li><a class="incart cart[% biblionumber %] addrecord" href="#">In your cart</a> <a class="cartRemove cartR[% biblionumber %]" href="#">(remove)</a></li>
+            <li><a class="incart cart[% biblionumber | html %] addrecord" href="#">In your cart</a> <a class="cartRemove cartR[% biblionumber | html %]" href="#">(remove)</a></li>
         [% ELSE %]
-            <li><a class="addtocart cart[% biblionumber %] addrecord" href="#">Add to your cart</a>  <a style="display:none;" class="cartRemove cartR[% biblionumber %]" href="#">(remove)</a></li>
+            <li><a class="addtocart cart[% biblionumber | html %] addrecord" href="#">Add to your cart</a>  <a style="display:none;" class="cartRemove cartR[% biblionumber | html %]" href="#">(remove)</a></li>
         [% END %]
     [% END %]
     [% IF ( OpacHighlightedWords && query_desc ) %]
@@ -40,7 +50,7 @@
                                     <li><a role="menuitem" href="#" data-toggle="modal" data-target="#exportModal_">Dublin Core</a></li>
                                 [% ELSE %]
                                 <li>
-                                    <a role="menuitem" href="/cgi-bin/koha/opac-export.pl?op=export&amp;bib=[% biblionumber %]&amp;format=[% option %]">
+                                    <a role="menuitem" href="/cgi-bin/koha/opac-export.pl?op=export&amp;bib=[% biblionumber | html %]&amp;format=[% option %]">
                                         [% SWITCH option %]
                                             [% CASE 'bibtex' %]BIBTEX
                                             [% CASE 'endnote' %]EndNote
@@ -96,7 +106,7 @@
                 <label class="label_dc" for="input-srw">SRW-DC</label>
                 <br>
         <input type="hidden" name="op" value="export">
-        <input type="hidden" name="bib" value="[% biblionumber %]">
+        <input type="hidden" name="bib" value="[% biblionumber | html %]">
         </fieldset>
     </div>
     <div class="modal-footer">
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-ISBDdetail.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-ISBDdetail.tt
index 108b9bfba0..42d5f79dc0 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-ISBDdetail.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-ISBDdetail.tt
@@ -19,7 +19,7 @@
                     <div id="usermarcdetail">
                         <div id="catalogue_detail_biblio">
                             <div id="views">
-                                <span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber %]">Normal view</a></span> <span class="view"><a id="MARCview" href="/cgi-bin/koha/opac-MARCdetail.pl?biblionumber=[% biblionumber %]">MARC view</a></span> <span class="view current-view"><span id="ISBDview">ISBD view</span></span></div>
+                                <span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Normal view</a></span> <span class="view"><a id="MARCview" href="/cgi-bin/koha/opac-MARCdetail.pl?biblionumber=[% biblionumber | html %]">MARC view</a></span> <span class="view current-view"><span id="ISBDview">ISBD view</span></span></div>
 
                                 <div id="isbdcontents">[% ISBD %]</div>
 
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-MARCdetail.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-MARCdetail.tt
index 1f0680e7fa..db570b32a1 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-MARCdetail.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-MARCdetail.tt
@@ -1,6 +1,6 @@
 [% USE Koha %]
 [% INCLUDE 'doc-head-open.inc' %]
-<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo;  MARC details for record no. [% biblionumber %]</title>
+<title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo;  MARC details for record no. [% biblionumber | html %]</title>
 [% INCLUDE 'doc-head-close.inc' %]
 [% BLOCK cssinclude %][% END %]
 </head>
@@ -20,14 +20,14 @@
                         <div id="catalogue_detail_biblio">
 
                             <div id="views">
-                                <span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber %]">Normal view</a></span>
+                                <span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Normal view</a></span>
                                 <span class="view current-view"><span id="MARCview">MARC view</span></span>
-                                [% IF ( ISBD ) %]<span class="view"><a id="ISBDview"  href="/cgi-bin/koha/opac-ISBDdetail.pl?biblionumber=[% biblionumber %]">ISBD view</a></span>[% END %]
+                                [% IF ( ISBD ) %]<span class="view"><a id="ISBDview"  href="/cgi-bin/koha/opac-ISBDdetail.pl?biblionumber=[% biblionumber | html %]">ISBD view</a></span>[% END %]
                             </div>
-                            <h1 class="title">[% bibliotitle %] (Record no. [% biblionumber %])</h1>
+                            <h1 class="title">[% bibliotitle %] (Record no. [% biblionumber | html %])</h1>
 
                             [% IF ( OPACXSLTDetailsDisplay ) %]
-                                <div id="switchview_div">[ <a id="switchview" href="/cgi-bin/koha/opac-showmarc.pl?id=[% biblionumber %]&amp;viewas=html">view plain</a> ]</div>
+                                <div id="switchview_div">[ <a id="switchview" href="/cgi-bin/koha/opac-showmarc.pl?id=[% biblionumber | html %]&amp;viewas=html">view plain</a> ]</div>
                                 <div id="plainmarc"></div>
                             [% END %]
 
@@ -190,7 +190,7 @@ $(document).ready(function(){
             $(this).text(_("view labeled"));
             $("#labeledmarc").hide();
             if(!loaded){
-                $("#plainmarc").show().html("<div style=\"margin:1em;padding:1em;border:1px solid #EEE;font-size:150%;\"><img src=\"[% interface %]/[% theme %]/images/loading.gif\" /> "+_("Loading")+"...</div>").load("/cgi-bin/koha/opac-showmarc.pl","id=[% biblionumber %]&viewas=html");
+                $("#plainmarc").show().html("<div style=\"margin:1em;padding:1em;border:1px solid #EEE;font-size:150%;\"><img src=\"[% interface %]/[% theme %]/images/loading.gif\" /> "+_("Loading")+"...</div>").load("/cgi-bin/koha/opac-showmarc.pl","id=[% biblionumber | html %]&viewas=html");
                 loaded = 1;
             } else {
                 $("#plainmarc").show();
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-alert-subscribe.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-alert-subscribe.tt
index d4b79c5e3d..c4f581f337 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-alert-subscribe.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-alert-subscribe.tt
@@ -10,7 +10,7 @@
     <div class="main">
         <ul class="breadcrumb">
             <li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
-            <li><a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber %]">Details for [% bibliotitle %]</a> <span class="divider">&rsaquo;</span></li>
+            <li><a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Details for [% bibliotitle %]</a> <span class="divider">&rsaquo;</span></li>
             <li><a href="#">[% IF ( typeissue ) %]Subscribe to a subscription alert [% ELSIF ( typeissuecancel ) %] Unsubscribe from a subscription alert [% END %]</a></li>
         </ul>
 
@@ -26,10 +26,10 @@
                                 [% IF ( notes ) %]<p>[% notes %]</p>[% END %]
                                 <input type="hidden" name="externalid" value="[% externalid %]">
                                 <input type="hidden" name="alerttype" value="issue">
-                                <input type="hidden" name="biblionumber" value="[% biblionumber %]">
+                                <input type="hidden" name="biblionumber" value="[% biblionumber | html %]">
                                 <input type="hidden" name="op" value="alert_confirmed">
                                 <input type="submit" class="btn" value="Yes">
-                                <a class="cancel" href="opac-serial-issues.pl?biblionumber=[% biblionumber %]" >No</a>
+                                <a class="cancel" href="opac-serial-issues.pl?biblionumber=[% biblionumber | html %]" >No</a>
                             </form>
                         [% END %]
                         [% IF ( typeissuecancel ) %]
@@ -40,10 +40,10 @@
                                 [% IF ( notes ) %]<p>[% notes %]</p>[% END %]
                                 <input type="hidden" name="externalid" value="[% externalid %]">
                                 <input type="hidden" name="alerttype" value="issue">
-                                <input type="hidden" name="biblionumber" value="[% biblionumber %]">
+                                <input type="hidden" name="biblionumber" value="[% biblionumber | html %]">
                                 <input type="hidden" name="op" value="cancel_confirmed">
                                 <input type="submit" value="Yes" class="btn">
-                                <a href="opac-serial-issues.pl?biblionumber=[% biblionumber %]" class="cancel">No</a>
+                                <a href="opac-serial-issues.pl?biblionumber=[% biblionumber | html %]" class="cancel">No</a>
                             </form>
                         [% END %]
                     </div> <!-- / #useralertsubscribe -->
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
index bc18a6dac5..4c744e64d5 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-detail.tt
@@ -55,7 +55,7 @@
 
                     <div id="bookcover">
                     [% IF ( OPACLocalCoverImages ) %]
-                        <div title="[% biblionumber |url %]" class="[% biblionumber %]" id="local-thumbnail-preview"></div>
+                        <div title="[% biblionumber |url %]" class="[% biblionumber | html %]" id="local-thumbnail-preview"></div>
                     [% END %]
                     [% IF ( OPACAmazonCoverImages ) %]
                         [% IF ( OPACURLOpenInNewWindow ) %]
@@ -103,15 +103,15 @@
                     [% END %]
                     </div><!-- / #bookcover -->
 
-                    <abbr class="unapi-id" title="koha:biblionumber:[% biblionumber %]"><!-- unAPI --></abbr>
+                    <abbr class="unapi-id" title="koha:biblionumber:[% biblionumber | html %]"><!-- unAPI --></abbr>
                     [% IF ( ocoins ) # COinS / Openurl %]
                         <span class="Z3988" title="[% ocoins %]"></span>
                     [% END %]
 
                     <div id="views">
                         <span class="view current-view"><span id="Normalview">Normal view</span></span>
-                        <span class="view"><a id="MARCview" href="/cgi-bin/koha/opac-MARCdetail.pl?biblionumber=[% biblionumber %]">MARC view</a></span>
-                        [% IF ( ISBD ) %]<span class="view"><a id="ISBDview" href="/cgi-bin/koha/opac-ISBDdetail.pl?biblionumber=[% biblionumber %]">ISBD view</a></span>[% END %]
+                        <span class="view"><a id="MARCview" href="/cgi-bin/koha/opac-MARCdetail.pl?biblionumber=[% biblionumber | html %]">MARC view</a></span>
+                        [% IF ( ISBD ) %]<span class="view"><a id="ISBDview" href="/cgi-bin/koha/opac-ISBDdetail.pl?biblionumber=[% biblionumber | html %]">ISBD view</a></span>[% END %]
                     </div>
                     [% IF ( OPACXSLTDetailsDisplay ) %]
                         [% XSLTBloc %]
@@ -407,16 +407,16 @@
                             [% END %]
                             [% IF ( TagsInputEnabled ) %]
                                 [% IF ( loggedinusername ) %]
-                                    <form id="tagform[% biblionumber %]" method="post" action="/cgi-bin/koha/opac-tags.pl" style="display:none;">
-                                        <label for="newtag[% biblionumber %]">New tag(s), separated by a comma:</label>
-                                        <input name="newtag[% biblionumber %]" id="newtag[% biblionumber %]" maxlength="100" type="text"/>
-                                        <input name="tagbutton" class="btn btn-small tagbutton" title="[% biblionumber %]" type="submit" value="Add" />
-                                        <a class="cancel_tag_add" id="cancel[% biblionumber %]" href="#">(done)</a>
+                                    <form id="tagform[% biblionumber | html %]" method="post" action="/cgi-bin/koha/opac-tags.pl" style="display:none;">
+                                        <label for="newtag[% biblionumber | html %]">New tag(s), separated by a comma:</label>
+                                        <input name="newtag[% biblionumber | html %]" id="newtag[% biblionumber | html %]" maxlength="100" type="text"/>
+                                        <input name="tagbutton" class="btn btn-small tagbutton" title="[% biblionumber | html %]" type="submit" value="Add" />
+                                        <a class="cancel_tag_add" id="cancel[% biblionumber | html %]" href="#">(done)</a>
                                     </form>
-                                    <span id="newtag[% biblionumber %]_status" class="tagstatus" style="display:none;">
+                                    <span id="newtag[% biblionumber | html %]_status" class="tagstatus" style="display:none;">
                                         Tag status here.
                                     </span>
-                                    <a class="tag_add" id="tag_add[% biblionumber %]" href="#">Add tag(s)</a>
+                                    <a class="tag_add" id="tag_add[% biblionumber | html %]" href="#">Add tag(s)</a>
                                 [% ELSE %]
                                     <span id="login4tags">
                                         [% IF Koha.Preference('casAuthentication') %]
@@ -494,7 +494,7 @@
 
                                 <!-- define some hidden vars for ratings -->
 
-                                <input  type="hidden" name='biblionumber'  value="[% biblionumber %]" />
+                                <input  type="hidden" name='biblionumber'  value="[% biblionumber | html %]" />
                                 <input  type="hidden" name='rating_value' id='rating_value' value="[% rating_value %]" />
                                 <input  type="hidden" name='rating_total' id='rating_total' value="[% rating_total %]" />
                                 <input  type="hidden" name='rating_avg_int' id='rating_avg_int' value="[% rating_avg_int %]" />
@@ -650,7 +650,7 @@
 
                     <div id="holdings">
                         [% IF too_many_items %]
-                            <p>This record has many physical items ([% items_count %]). <a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber %]&amp;viewallitems=1">Click here to view them all.</a></p>
+                            <p>This record has many physical items ([% items_count %]). <a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]&amp;viewallitems=1">Click here to view them all.</a></p>
                         [% ELSIF ( itemloop.size ) %]
                             [% INCLUDE items_table items=itemloop tab="holdings" %]
                             [% IF Koha.Preference('OPACAcquisitionDetails') and Koha.Preference('AcqCreateItem') != 'ordering' and acquisition_details.total_quantity > 0 %]
@@ -863,7 +863,7 @@
                                     </table>
                                 [% END # / IF subscription.latestserials %]
                             [% END # / FOREACH subscriptions %]
-                            <p><a href="opac-serial-issues.pl?biblionumber=[% biblionumber %]">More details</a></p>
+                            <p><a href="opac-serial-issues.pl?biblionumber=[% biblionumber | html %]">More details</a></p>
                         </div> <!-- / #subscriptions -->
                     [% END # IF subscriptionsnumber %]
 
@@ -943,8 +943,13 @@
 
                                 [% IF ( loggedinusername ) %]
                                     [% UNLESS ( loggedincommenter ) %]
+<<<<<<< HEAD
                                        <div id="addcomment"> <a href="#" onclick="Dopop('/cgi-bin/koha/opac-review.pl?biblionumber=[% biblionumber %]'); return false;">
                                             Post or edit your comments on this item.
+=======
+                                       <div id="addcomment"> <a href="#" onclick="Dopop('/cgi-bin/koha/opac-review.pl?biblionumber=[% biblionumber | html %]'); return false;">
+                                            Post your comments on this item.
+>>>>>>> Bug 18726: Fix XSS at the OPAC - biblionumber
                                         </a></div>
                                     [% END %]
                                 [% ELSE %]
@@ -1015,7 +1020,7 @@
                                 <p>Click on an image to view it in the image viewer</p>
                                 [% FOREACH image IN localimages %]
                                     [% IF image %]
-                                        <a class="localimage" href="/cgi-bin/koha/opac-imageviewer.pl?biblionumber=[% biblionumber %]&amp;imagenumber=[% image %]"><img alt="" src="/cgi-bin/koha/opac-image.pl?thumbnail=1&amp;imagenumber=[% image %]" /></a>
+                                        <a class="localimage" href="/cgi-bin/koha/opac-imageviewer.pl?biblionumber=[% biblionumber | html %]&amp;imagenumber=[% image %]"><img alt="" src="/cgi-bin/koha/opac-image.pl?thumbnail=1&amp;imagenumber=[% image %]" /></a>
                                     [% END %]
                                 [% END %]
                             </div><!-- / #images -->
@@ -1593,7 +1598,7 @@
               $.post("/cgi-bin/koha/opac-ratings-ajax.pl", {
                 rating_old_value: $("#rating_value").attr("value"),
                 borrowernumber: "[% borrowernumber %]",
-                biblionumber: "[% biblionumber %]",
+                biblionumber: "[% biblionumber | html %]",
                 rating_value: value,
                 auth_error: value
               }, function (data) {
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-full-serial-issues.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-full-serial-issues.tt
index d538e55c36..5e81d2396a 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-full-serial-issues.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-full-serial-issues.tt
@@ -16,7 +16,7 @@
     <div class="main">
         <ul class="breadcrumb">
             <li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
-            <li><a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber %]">Details for [% bibliotitle %]</a> <span class="divider">&rsaquo;</span></li>
+            <li><a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Details for [% bibliotitle %]</a> <span class="divider">&rsaquo;</span></li>
             <li><a href="#">Full subscription history</a></li>
         </ul>
 
@@ -48,8 +48,8 @@
                         [% UNLESS ( popup ) %]
                             <h2>Full subscription history for [% bibliotitle %]</h2>
                             <div id="views">
-                                <span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber %]">Normal view</a></span>
-                                <span class="view"><a id="Briefhistory" href="/cgi-bin/koha/opac-serial-issues.pl?biblionumber=[% biblionumber %]&amp;selectview=small">Brief history</a></span>
+                                <span class="view"><a id="Normalview" href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Normal view</a></span>
+                                <span class="view"><a id="Briefhistory" href="/cgi-bin/koha/opac-serial-issues.pl?biblionumber=[% biblionumber | html %]&amp;selectview=small">Brief history</a></span>
                                 <span class="view"><span id="Fullhistory">Full history</span></span>
                             </div>
                         [% END %]
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-serial-issues.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-serial-issues.tt
index 4517ffc44f..47e0a505b4 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-serial-issues.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-serial-issues.tt
@@ -10,7 +10,7 @@
     <div class="main">
         <ul class="breadcrumb">
             <li><a href="/cgi-bin/koha/opac-main.pl">Home</a> <span class="divider">&rsaquo;</span></li>
-            <li><a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber %]">Details for [% bibliotitle %]</a> <span class="divider">&rsaquo;</span></li>
+            <li><a href="/cgi-bin/koha/opac-detail.pl?biblionumber=[% biblionumber | html %]">Details for [% bibliotitle %]</a> <span class="divider">&rsaquo;</span></li>
             <li><a href="#">Issues for a subscription</a></li>
         </ul>
 
-- 
2.39.5