From 6b053546add6fa9d002d757e5b493e68506e5290 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Sat, 29 Sep 2018 11:24:19 -0300
Subject: [PATCH] Bug 21418: Html escape the 2 variables

We should be on the safe side without this patch because shelfnumber and
type comes from the DB and are integer or varchar. It may be better to
show good examples to start, and escape everything anyway.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
---
 .../prog/en/modules/virtualshelves/tables/shelves_results.tt    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
index fde5544390..db4ed8e7f9 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
@@ -34,6 +34,8 @@
 [% BLOCK action_form -%]
 [%~ SET action_block = '' ~%]
 [%~ IF can_manage_shelf OR can_delete_shelf ~%]
+    [%~ shelfnumber = shelfnumber | html ~%]
+    [%~ type        = type | html ~%]
     [%~ IF can_manage_shelf ~%]
         [%~ action_block =                '<form action="shelves.pl" method="get">' ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="shelfnumber" value="' _ shelfnumber  _ '" />' ~%]
-- 
2.39.5