Adding |html to [% resultsperpage %] to escape the variable and get rid of the alert.
To test:
1) Go to URL such as ... /cgi-bin/koha/opac-authorities-home.pl?op=do_search&resultsperpage=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
2) Notice pop-up box with alert
3) Apply patch, refresh page
4) Notice alert is gone
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>