13 Sep
2023
13 Sep
'23
4:22 a.m.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33734 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #9)
Definitely don't want to be using the "raw" filter there.
Actually, I'm wrong. We do want to be using the "raw" filter here, because the URL is already encoded. However, Ville makes a couple of mistakes in their patch. First, we should escape search_filter.id for completeness even though it's system generated. Second, we need to escape search_filter.name since that is user generated and could cause XSS if it's not HTML escaped. -- You are receiving this mail because: You are watching all bug changes.