https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33734
--- Comment #11 from David Cook <[email protected]> --- (In reply to David Cook from comment #9) > Definitely don't want to be using the "raw" filter there. Actually, I'm wrong. We do want to be using the "raw" filter here, because the URL is already encoded. However, Ville makes a couple of mistakes in their patch. First, we should escape search_filter.id for completeness even though it's system generated. Second, we need to escape search_filter.name since that is user generated and could cause XSS if it's not HTML escaped. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
