Two parameters are now escaped in title (html element):
- query_desc
- limit_desc
This is a security correction against XSS.
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
[% INCLUDE 'doc-head-open.inc' %]
-<title>Koha › Catalog › [% IF ( searchdesc ) %]Results of Search [% IF ( query_desc ) %]for '[% query_desc %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc %]'[% END %][% ELSE %]You did not specify any search criteria[% END %]</title>
+<title>Koha › Catalog › [% IF ( searchdesc ) %]Results of Search [% IF ( query_desc ) %]for '[% query_desc | html %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc | html %]'[% END %][% ELSE %]You did not specify any search criteria[% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
<script type="text/javascript" src="/intranet-tmpl/prog/en/lib/jquery/plugins/jquery.highlight-3.js"></script>
<script type="text/javascript">
[% INCLUDE 'doc-head-open.inc' %]
[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha Online[% END %] Catalog ›
[% IF ( searchdesc ) %]
- Results of Search [% IF ( query_desc ) %]for '[% query_desc %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc %]'[% END %]
+ Results of Search [% IF ( query_desc ) %]for '[% query_desc | html %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc | html %]'[% END %]
[% ELSE %]
You did not specify any search criteria.
[% END %]
[% INCLUDE 'doc-head-open.inc' %]
[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha Online[% END %] Catalog ›
[% IF ( searchdesc ) %]
- Results of Search [% IF ( query_desc ) %]for '[% query_desc %]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc %]'[% END %]
+ Results of Search [% IF ( query_desc ) %]for '[% query_desc | html%]'[% END %][% IF ( limit_desc ) %] with limit(s): '[% limit_desc | html %]'[% END %]
[% ELSE %]
You did not specify any search criteria.
[% END %]