Comment 2 for bug 1902965

Branch user/jeffdavis/lp1902965-marc-856-filter in the security repo fixes the issue by applying the TT2 "html" filter to the URI href, link, and note before using them. I'm not sure if escaping HTML entities will cause problems for certain 856 URLs.

I haven't checked whether other MARC fields have the same vulnerability, but it seems likely.