From 1c9e6f16e73f87d84311d6b4a4361d9ca8cfc7a8 Mon Sep 17 00:00:00 2001
From: Owen Leonard <oleonard@myacpl.org>
Date: Wed, 25 Feb 2009 08:38:37 -0600
Subject: [PATCH] Using "escape=html" on TMPL_VAR containing SQL to prevent
 HTML from breaking when SQL includes double-quotes.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
---
 .../prog/en/modules/reports/guided_reports_start.tmpl     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
index a0450e31ae..bc45328ad0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
@@ -333,7 +333,7 @@ NAME="name" -->"><!-- TMPL_VAR NAME="name"--></label></td><td>
 </p>
 
 <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" -->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <p>You will need to save the report before you can execute it</p>
 <fieldset class="action"><input type="hidden" name="phase" value="Save" />  
@@ -343,7 +343,7 @@ NAME="name" -->"><!-- TMPL_VAR NAME="name"--></label></td><td>
 
 <!-- TMPL_IF NAME="save" -->
 <form action="/cgi-bin/koha/reports/guided_reports.pl" method="post">
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" -->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <fieldset class="rows">
 <legend>Save Your Custom Report</legend>
@@ -373,7 +373,7 @@ NAME="name" -->"><!-- TMPL_VAR NAME="name"--></label></td><td>
 <option value="csv">Comma Separated Text</option>
 <option value="tab">Tab Separated Text</option>
 </select>
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" -->" />
 <input type="hidden" name="phase" value="Export" />
 <input type="submit" name="submit" value="Download" /></fieldset>
 </form>
@@ -472,7 +472,7 @@ Sub report:<select name="subreport">
 <!-- /TMPL_IF -->
 <!-- /TMPL_LOOP -->
 </div>
-<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" -->" />
+<input type="hidden" name="sql" value="<!-- TMPL_VAR NAME="sql" ESCAPE="html" -->" />
 <input type="hidden" name="reportname" value="<!-- TMPL_VAR NAME="reportname" -->" />
 <input type="hidden" name="type" value="<!-- TMPL_VAR NAME="type" -->" />
 <input type="hidden" name="notes" value="<!-- TMPL_VAR NAME="notes" -->" />
-- 
2.20.1