From 41f52e2d298a75e5aa0ca55c829cc5d10ca88bbe Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 1 May 2019 20:28:04 -0400
Subject: [PATCH] Bug 22781: Escape cardnumber, category's description,
 library's name and dateexpiry

This will fix the previous failure. Note that other fields like
borrowernumber, Price escaped values, integers, etc. could be escaped
the same way but will be useless (save polar bears).

Signed-off-by: Liz Rea <wizzyrea@gmail.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 3a3057545c56f4f1a41fcd7643265204844cd2d3)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

 Conflicts:
	koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt

Signed-off-by: Liz Rea <liz@bywatersolutions.com>
---
 .../prog/en/modules/members/tables/members_results.tt     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt
index e7bb6914fe..bb0e17624a 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/tables/members_results.tt
@@ -14,17 +14,17 @@
                     "<input type='checkbox' class='selection' name='borrowernumber' value='[% data.borrowernumber %]' />",
                 [% END %]
                 "dt_cardnumber":
-                    "[% data.cardnumber | html %]",
+                    "[% data.cardnumber | html | $To %]",
                 "dt_name":
                     "<span style='white-space:nowrap'><a href='/cgi-bin/koha/members/moremember.pl?borrowernumber=[% data.borrowernumber %]'>[% INCLUDE 'patron-title.inc' borrowernumber = data.borrowernumber category_type = data.category_type firstname = To.json(data.firstname) surname = To.json(data.surname) othernames = To.json(data.othernames) invert_name = 1 %]</a><br />[% INCLUDE escape_address data = data %][% IF data.email %]<br/>Email: <a href='mailto:[% data.email | html %]'>[% data.email | html %]</a>[% END %]</span>",
     "dt_dateofbirth":
         "[% data.dateofbirth | $KohaDates %]",
                 "dt_category":
-                    "[% data.category_description |html %] ([% data.category_type |html %])",
+                    "[% data.category_description | html | $To %] ([% data.category_type | html | $To %])",
                 "dt_branch":
-                    "[% data.branchname |html %]",
+                    "[% data.branchname | html | $To %]",
                 "dt_dateexpiry":
-                    "[% data.dateexpiry %]",
+                    "[% data.dateexpiry | html | $To %]",
                 "dt_od_checkouts":
                     "[% IF data.overdues %]<span class='overdue'><strong>[% data.overdues %]</strong></span>[% ELSE %][% data.overdues %][% END %] / [% data.issues %]",
                 "dt_fines":
-- 
2.39.5