From 1f2b8c706a087ced6482ccd2ae4485d0a16bd24f Mon Sep 17 00:00:00 2001 From: Chris Hall Date: Wed, 17 Oct 2012 14:32:19 +1300 Subject: [PATCH] bug 3652 fixing XSS vulnerabilities in opac-search Signed-off-by: Mason James Signed-off-by: Chris Cormack --- koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt | 2 +- koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt index f8755ad452..a739d4f7ff 100644 --- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt +++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt @@ -56,7 +56,7 @@ $(document).ready(function(){ return false; }); [% IF ( query_desc ) %] - var query_desc = "[% query_desc |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]"; + var query_desc = "[% query_desc |replace("'", "\'") |replace('\n', '\\n') |replace('\r', '\\r') |html %]"; q_array = query_desc.split(" "); // ensure that we don't have "" at the end of the array, which can // break the highlighter diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt index dfbeec560d..ef4a363ffb 100644 --- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt +++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt @@ -201,7 +201,7 @@ $(document).ready(function(){ [% END %] $("#holdDetails").hide(); -[% IF ( query_desc ) %][% IF ( OpacHighlightedWords ) %]var query_desc = "[% query_desc |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]"; +[% IF ( query_desc ) %][% IF ( OpacHighlightedWords ) %]var query_desc = "[% query_desc |replace("'", "\'") |replace('\n', '\\n') |replace('\r', '\\r') |html %]"; q_array = query_desc.split(" "); // ensure that we don't have "" at the end of the array, which can // break the highlighter -- 2.39.5