Bug 23058: Prevent XSS vulnerabiliies when 'tag' is passed to opac-search

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

diff --git a/opac/opac-search.pl b/opac/opac-search.pl
index c39ad59..84714a6 100755 (executable)
--- a/opac/opac-search.pl
+++ b/opac/opac-search.pl
@@ -607,7 +607,7 @@ my $results_hashref;
 my @coins;
 
 if ($tag) {
-    $query_cgi = "tag=" .$tag . "&" . $query_cgi;
+    $query_cgi = "tag=" .  uri_escape_utf8( $tag ) . "&" . $query_cgi;
     my $taglist = get_tags({term=>$tag, approved=>1});
     $results_hashref->{biblioserver}->{hits} = scalar (@$taglist);
     my @marclist = map { C4::Biblio::GetXmlBiblio( $_->{biblionumber} ) } @$taglist;