From c3007b163a476906cff96950f69e2d6198bcdecb Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Wed, 25 Feb 2009 08:38:37 -0600
Subject: [PATCH] Using "escape=html" on TMPL_VAR containing SQL to prevent
 HTML from breaking when SQL includes double-quotes.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
---
 .../en/modules/reports/guided_reports_start.tmpl     | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
index 7b09bfcf6d..cc4eea6fa2 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
@@ -343,7 +343,7 @@ NAME="name" -->"><!-- TMPL_VAR NAME="name"--></label></td><td>
 </p>
 
 <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" -->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <p>You will need to save the report before you can execute it</p>
 <fieldset class="action"><input type="hidden" name="phase" value="Save" />  
@@ -353,7 +353,7 @@ NAME="name" -->"><!-- TMPL_VAR NAME="name"--></label></td><td>
 
 <!-- TMPL_IF NAME="save" -->
 <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" -->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <fieldset class="rows">
 <legend>Save Your Custom Report</legend>
@@ -501,8 +501,12 @@ Sub report:<select name="subreport">
     <!-- /TMPL_IF -->
 <!-- /TMPL_LOOP -->
 </div>
-<fieldset class="action"><input type="hidden" name="phase" value="Use saved" />
-<input type="submit" name="submit" value="Saved Reports" /></fieldset>
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" -->" />
+<input type="hidden" name="reportname" value="<!-- TMPL_VAR NAME="reportname" -->" />
+<input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
+<input type="hidden" name="notes" value="<!-- TMPL_VAR NAME="notes" -->" />
+<fieldset class="action"><input type="hidden" name="phase" value="Create report from SQL" />
+<input type="submit" name="submit" value="Edit SQL" /></fieldset>
 </form>
 <!-- /TMPL_IF -->
 
-- 
2.20.1