LP#1822630: sanitize user input before display on browse results

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Chris Sharp <csharp@georgialibraries.org>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>

diff --git a/Open-ILS/src/templates/opac/browse.tt2 b/Open-ILS/src/templates/opac/browse.tt2
index 21c3e65..97a8c0c 100644 (file)
--- a/Open-ILS/src/templates/opac/browse.tt2
+++ b/Open-ILS/src/templates/opac/browse.tt2
@@ -46,7 +46,7 @@
                 <div id="browse-controls" class='searchbar'>
                     <form method="get" onsubmit="$('browse-submit-spinner').className = ''; return true">
                         <input type="hidden" name="blimit"
-                            value="[% blimit %]" />
+                            value="[% blimit | html %]" />
 
                         [% control_qtype = INCLUDE "opac/parts/qtype_selector.tt2"
                             id="browse-search-class" browse_only=1 plural=1 %]