When our site was scanned for potential vulnerabilities, they came up with the following links typed into Firefox. 50.199.57.14/cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123 and 50.199.57.14/cgi-bin/koha/opac-search.pl?q=ccl=su%3AGay%20men%20and%20su%3ASexual%20behavior&offset=100&sort_by=relevance_asc'"><script>prompt('Happy_Holidays')</script> Both of these scripts are executed and cause a pop up This looks similar to bug 11341 which was fixed in 3.14. We are running 3.18 on Xubuntu 14.04 LTS installed from the PPA. I noticed that in the patch at http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23313&action=diff there were a number of '|html %' entries which appear as '|url %' in 3.18. Is this a regression on bug 11341? Bob Ewart