Changelog:

Only relevant if you embed the calibre server within a larger server, it
means attackers who can convince users to click on a specially crafted
link, can run JavaScript code with the same origin as the larger server
calibre is embedded in.

From e75f85919a3c3a5f2d87861050d8483d66561c06 Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Tue, 30 Jul 2024 13:40:21 +0530
Subject: [PATCH] Fix #2075130 [Private
 bug](https://bugs.launchpad.net/calibre/+bug/2075130)

---
 src/calibre/srv/legacy.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/calibre/srv/legacy.py b/src/calibre/srv/legacy.py
index 055228ebee..85586b07a6 100644
--- a/src/calibre/srv/legacy.py
+++ b/src/calibre/srv/legacy.py
@@ -255,7 +255,7 @@ def browse(ctx, rd, rest):
     if rest.startswith('book/'):
         # implementation of https://bugs.launchpad.net/calibre/+bug/1698411
         # redirect old server book URLs to new URLs
-        redirect = ctx.url_for(None) + '#book_id=' + rest[5:] + "&amp;panel=book_details"
+        redirect = ctx.url_for(None) + '#book_id=' + int(rest[5:]) + "&amp;panel=book_details"
         from lxml import etree as ET
         return html(ctx, rd, endpoint,
                  E.html(E.head(
-- 
2.44.2