LP#1822630: further sanitizing of CGI params when embedded in HTML
[working/Evergreen.git] / Open-ILS / src / templates / opac / parts / ebook_api / base_js.tt2
index d5ba0f4..668b5fa 100644 (file)
@@ -45,13 +45,13 @@ dojo.forEach(vendor_list, function(v) {
 // essential info for performing a transaction
 var ebook_action = {};
 [%- IF CGI.param("action").defined %]
-ebook_action.type = '[% CGI.param("action") %]';
+ebook_action.type = '[% CGI.param("action") | html %]';
 [%- END -%]
 [%- IF CGI.param("title").defined %]
-ebook_action.title_id = '[% CGI.param("title") %]';
+ebook_action.title_id = '[% CGI.param("title") | html %]';
 [%- END -%]
 [%- IF CGI.param("vendor").defined %]
-ebook_action.vendor = '[% CGI.param("vendor") %]';
+ebook_action.vendor = '[% CGI.param("vendor") | html %]';
 [%- END -%]
 
 [% IF ctx.user %]