Bug 21418: Html escape the 2 variables

We should be on the safe side without this patch because shelfnumber and
type comes from the DB and are integer or varchar. It may be better to
show good examples to start, and escape everything anyway.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
index fde5544..db4ed8e 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
@@ -34,6 +34,8 @@
 [% BLOCK action_form -%]
 [%~ SET action_block = '' ~%]
 [%~ IF can_manage_shelf OR can_delete_shelf ~%]
+    [%~ shelfnumber = shelfnumber | html ~%]
+    [%~ type        = type | html ~%]
     [%~ IF can_manage_shelf ~%]
         [%~ action_block =                '<form action="shelves.pl" method="get">' ~%]
         [%~ action_block = action_block _ '<input type="hidden" name="shelfnumber" value="' _ shelfnumber  _ '" />' ~%]