From 73676f951854762c593459bbc986dea295f32e76 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:57:48 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: catalogue/results.tt To test, perform a search in the catalogue and verify that search term highlighting works correctly. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Andrew Fuerste-Henry --- koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt index 4764f4f409..10fa17062e 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt @@ -768,7 +768,7 @@ [%- END -%] var search_result = { - query_desc: "[% To.json( query_desc ) | $raw %]", + query_desc: "[% To.json( query_desc ) | html %]", query_cgi: "[% query_cgi | html %]", limit_cgi: "[% limit_cgi | html %]", sort_cgi: "[% sort_cgi | html %]", -- 2.39.5