We should be on the safe side without this patch because shelfnumber and
type comes from the DB and are integer or varchar. It may be better to
show good examples to start, and escape everything anyway.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
[% BLOCK action_form -%]
[%~ SET action_block = '' ~%]
[%~ IF can_manage_shelf OR can_delete_shelf ~%]
+ [%~ shelfnumber = shelfnumber | html ~%]
+ [%~ type = type | html ~%]
[%~ IF can_manage_shelf ~%]
[%~ action_block = '<form action="shelves.pl" method="get">' ~%]
[%~ action_block = action_block _ '<input type="hidden" name="shelfnumber" value="' _ shelfnumber _ '" />' ~%]