From a55ff7fe8703e765c6ee5c3d0a1df063447a7ef2 Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 11 Aug 2020 12:57:48 +0000 Subject: [PATCH] Bug 26102: Prevent XSS when To.json is used: catalogue/results.tt To test, perform a search in the catalogue and verify that search term highlighting works correctly. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Fridolin Somers --- koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt index 4115ddacf7..59def93d62 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt @@ -725,7 +725,7 @@ [%- END -%] var search_result = { - query_desc: "[% To.json( query_desc ) | $raw %]", + query_desc: "[% To.json( query_desc ) | html %]", query_cgi: "[% query_cgi | html %]", limit_cgi: "[% limit_cgi | html %]", sort_cgi: "[% sort_cgi | html %]", -- 2.39.5