This patch escapes city_id uses in URLs, and also removes redundant dom
entry as this is inherited from the global datatables configuration
anyway.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
"ajax": {
"url": cities_table_url
},
- 'dom': 'C<"top pager"ilpfB><"#filter_c">tr<"bottom pager"ip>',
"order": [[ 1, "asc" ]],
"columnDefs": [ {
"targets": [0,1,2,3,4],
{
"data": function( row, type, val, meta ) {
- var result = '<a class="btn btn-default btn-xs" role="button" href="/cgi-bin/koha/admin/cities.pl?op=add_form&cityid='+ row.city_id +'"><i class="fa fa-pencil" aria-hidden="true"></i> '+_("Edit")+'</a>'+"\n";
- result += '<a class="btn btn-default btn-xs" role="button" href="/cgi-bin/koha/admin/cities.pl?op=delete_confirm&cityid='+ row.city_id +'"><i class="fa fa-trash" aria-hidden="true"></i> '+_("Delete")+'</a>';
+ var result = '<a class="btn btn-default btn-xs" role="button" href="/cgi-bin/koha/admin/cities.pl?op=add_form&cityid='+ encodeURIComponent(row.city_id) +'"><i class="fa fa-pencil" aria-hidden="true"></i> '+_("Edit")+'</a>'+"\n";
+ result += '<a class="btn btn-default btn-xs" role="button" href="/cgi-bin/koha/admin/cities.pl?op=delete_confirm&cityid='+ encodeURIComponent(row.city_id) +'"><i class="fa fa-trash" aria-hidden="true"></i> '+_("Delete")+'</a>';
return result;
},