From d2de76d60d7369e26e8c3f806b9bdcdb6eeaa4fd Mon Sep 17 00:00:00 2001
From: Chris Hall <chrish@catalyst.net.nz>
Date: Wed, 17 Oct 2012 14:32:19 +1300
Subject: [PATCH] bug 3652 fixing XSS vulnerabilities in opac-search

Signed-off-by: Mason James <mtj@kohaaloha.com>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
---
 koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt          | 2 +-
 koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt | 2 +-
 koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt
index f740488d94..39a4e95e88 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt
@@ -63,7 +63,7 @@
             widgets : ['zebra'],
             sortList: [[0,0]]
         });
-        [% IF ( query_desc ) %][% IF ( OpacHighlightedWords ) %]var query_desc = "[% query_desc |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]";
+        [% IF ( query_desc ) %][% IF ( OpacHighlightedWords ) %]var query_desc = "[% query_desc |replace("'", "\'") |replace('\n', '\\n') |replace('\r', '\\r') |html %]";
             q_array = query_desc.split(" ");
             highlightOn();
             $("#highlight_toggle_on" ).hide().click(function() {highlightOn() ; return false;});
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt
index 86e1a088be..222d841eb9 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt
@@ -62,7 +62,7 @@ $(document).ready(function(){
         return false;
     });
     [% IF ( query_desc ) %]
-    var query_desc = "[% query_desc |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]";
+    var query_desc = "[% query_desc |replace("'", "\'") |replace('\n', '\\n') |replace('\r', '\\r') |html %]";
     q_array = query_desc.split(" ");
     // ensure that we don't have "" at the end of the array, which can
     // break the highlighter
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt
index a3c09e2966..95ed896c2d 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt
@@ -207,7 +207,7 @@ $(document).ready(function(){
 [% END %]
     $("#holdDetails").hide();
 
-[% IF ( query_desc ) %][% IF ( OpacHighlightedWords ) %]var query_desc = "[% query_desc |replace("'", "\'") |replace('"', '\"') |replace('\n', '\\n') |replace('\r', '\\r') %]";
+[% IF ( query_desc ) %][% IF ( OpacHighlightedWords ) %]var query_desc = "[% query_desc |replace("'", "\'") |replace('\n', '\\n') |replace('\r', '\\r') |html %]";
         q_array = query_desc.split(" ");
         // ensure that we don't have "" at the end of the array, which can
         // break the highlighter
-- 
2.20.1