[freeside-commits] freeside/httemplate/edit quick-charge.html, 1.3, 1.4

Ivan,,, ivan at wavetail.420.am
Tue Dec 25 23:51:40 PST 2007


Update of /home/cvs/cvsroot/freeside/httemplate/edit
In directory wavetail:/tmp/cvs-serv23894/httemplate/edit

Modified Files:
	quick-charge.html 
Log Message:
alas, XSSmas draws to a close

Index: quick-charge.html
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/edit/quick-charge.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- quick-charge.html	18 Dec 2007 20:42:30 -0000	1.3
+++ quick-charge.html	26 Dec 2007 07:51:37 -0000	1.4
@@ -2,10 +2,8 @@
             ( $cgi->param('error') ? '' : 'onload="addRow()"' ),
           )
 %>
-% if ( $cgi->param('error') ) { 
 
-  <FONT SIZE="+1" COLOR="#ff0000"><% $cgi->param('error') %></FONT><BR><BR>
-% } 
+<% include('/elements/error.html') %>
 
 <SCRIPT TYPE="text/javascript">
 
@@ -73,23 +71,22 @@
 
 </SCRIPT>
 
-
-
 <FORM ACTION="process/quick-charge.cgi" NAME="QuickChargeForm" METHOD="POST" onsubmit="document.QuickChargeForm.submit.disabled=true;return validate_quick_charge();">
 
-<INPUT TYPE="hidden" NAME="custnum" VALUE="<% $cgi->param('custnum') %>">
+<INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>">
+
 <TABLE ID="QuickChargeTable" BGCOLOR="#cccccc" BORDER=0 CELLSPACING=0 STYLE="background-color: #cccccc">
 
 <TR>
   <TD ALIGN="right">Amount:</TD>
   <TD>
-    $<INPUT TYPE="text" NAME="amount" SIZE=6 VALUE="<% $cgi->param('amount') %>" onChange="enable_quick_charge()" onKeyPress="enable_quick_charge_amount()">
+    $<INPUT TYPE="text" NAME="amount" SIZE=6 VALUE="<% $amount %>" onChange="enable_quick_charge()" onKeyPress="enable_quick_charge_amount()">
   </TD>
 <% include('/elements/tr-select-taxclass.html') %>
 </TR>
   <TD>Description:</TD>
   <TD>
-    <INPUT TYPE="text" NAME="pkg" SIZE="60" MAXLENGTH="65" VALUE="<% $cgi->param('pkg') %>" onChange="enable_quick_charge()" onKeyPress="enable_quick_charge_desc()">
+    <INPUT TYPE="text" NAME="pkg" SIZE="60" MAXLENGTH="65" VALUE="<% $pkg %>" onChange="enable_quick_charge()" onKeyPress="enable_quick_charge_desc()">
   </TD>
 </TR>
 <TR>
@@ -106,7 +103,7 @@
     <TR>
       <TD></TD>
       <TD>
-        <INPUT TYPE="text" NAME="description<% $row %>" SIZE="60" MAXLENGTH="65" VALUE="<% $param->{"description$row"} %>" rownum="<% $row %>" onkeyup = "possiblyAddRow;" >
+        <INPUT TYPE="text" NAME="description<% $row %>" SIZE="60" MAXLENGTH="65" VALUE="<% $param->{"description$row"} |h %>" rownum="<% $row %>" onkeyup = "possiblyAddRow;" >
       </TD>
     </TR>
 % } 
@@ -164,3 +161,18 @@
 
 </BODY>
 </HTML>
+<%init>
+
+$cgi->param('custnum') =~ /^(\d+)$/ or die 'illegal custnum';
+my $custnum = $1;
+
+my $amount = '';
+if ( $cgi->param('amount') =~ /^\s*\$?\s*(\d+(\.\d{1,2})?)\s*$/ ) {
+  $amount = $1;
+}
+
+$cgi->param('pkg') =~ /^([\w \!\@\#\$\%\&\(\)\-\+\;\:\'\"\,\.\?\/\=\[\]]*)$/ 
+  or die 'illegal description';
+my $pkg = $1;
+
+</%init>



More information about the freeside-commits mailing list