From 6b053546add6fa9d002d757e5b493e68506e5290 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Sat, 29 Sep 2018 11:24:19 -0300 Subject: [PATCH] Bug 21418: Html escape the 2 variables We should be on the safe side without this patch because shelfnumber and type comes from the DB and are integer or varchar. It may be better to show good examples to start, and escape everything anyway. Signed-off-by: Jonathan Druart Signed-off-by: Owen Leonard Signed-off-by: Josef Moravec Signed-off-by: Nick Clemens --- .../prog/en/modules/virtualshelves/tables/shelves_results.tt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt index fde5544390..db4ed8e7f9 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt @@ -34,6 +34,8 @@ [% BLOCK action_form -%] [%~ SET action_block = '' ~%] [%~ IF can_manage_shelf OR can_delete_shelf ~%] + [%~ shelfnumber = shelfnumber | html ~%] + [%~ type = type | html ~%] [%~ IF can_manage_shelf ~%] [%~ action_block = '
' ~%] [%~ action_block = action_block _ '' ~%] -- 2.39.5