From e127e2cc525f05b3bbf02a4354b3e539de173096 Mon Sep 17 00:00:00 2001
From: Fabian Steeg <steeg@hbz-nrw.de>
Date: Thu, 21 Dec 2023 11:48:37 +0100
Subject: [PATCH] Escape query param before using it as ID in HTML redirect

---
 app/controllers/nwbib/Application.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/nwbib/Application.java b/app/controllers/nwbib/Application.java
index f12eb2a5..fb09348f 100644
--- a/app/controllers/nwbib/Application.java
+++ b/app/controllers/nwbib/Application.java
@@ -53,6 +53,7 @@
 import play.mvc.Http;
 import play.mvc.Result;
 import play.mvc.Results;
+import play.twirl.api.HtmlFormat;
 import views.html.browse_classification;
 import views.html.browse_register;
 import views.html.classification;
@@ -283,7 +284,7 @@ public static Promise<Result> searchSpatial(final String id, final int from, fin
 	public static Promise<Result> showPl(String name, String db, int index, int zeilen, String s1) {
 		return Promise
 				.pure(ok("<head><meta http-equiv='Refresh' content='0; URL=https://rppd.lobid.org/"
-						+ s1 + "'/></head>").as("text/html"));
+						+ HtmlFormat.escape(s1) + "'/></head>").as("text/html"));
 	}
 
 	/**