LP#1822630: further sanitizing of CGI params when embedded in HTML
[working/Evergreen.git] / Open-ILS / src / templates / opac / parts / place_hold.tt2
index f2d1bba..95ff9e2 100644 (file)
@@ -192,7 +192,7 @@ function maybeToggleNumCopies(obj) {
                                 [% l('Advanced Hold Options') %]</a>
                         [% END %]
                         [% IF CGI.param('hold_type') == 'M' AND CGI.param('bre_id') %]
-                            <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') %]" />
+                            <input type="hidden" name="bre_id" value="[% CGI.param('bre_id') | html %]" />
                             <a id='basic_hold_link'
                                href="[% mkurl('', {hold_target => CGI.param('bre_id'), hold_type => 'T'}) %]">
                                 [% l('Basic Hold Options') %]</a>