Comment 4 for bug 1822630

I've been combing through the OPAC templates for additional instances of raw CGI.param values being embedded in HTML as-is, either directly or after being assigned to a variable. (This approach is much narrower than Dan's regex.) There are a lot of cases where the raw value is tested but not output to HTML, and some other cases where it is passed to a function like mkurl that takes care of the sanitizing. I have pushed an additional commit to the above branch fixing the few other cases I found that actually require cleanup. I definitely can't promise I caught everything, but hopefully it covers the low-hanging fruit.

(There's an interesting case in parts/result/facets.tt2 -- two CGI.param values are assigned to variables near the top and then those variables are used in complicated ways. I think no sanitizing is necessary here, so my commits don't touch it, but it would be good to have at least one additional pair of eyes on that one.)

I vote for fixing what we can fix quickly now, and doing a more thorough audit over time.