[freeside-commits] freeside/FS/FS Mason.pm,1.30,1.31

[Mark Wells]

Update of /home/cvs/cvsroot/freeside/FS/FS
In directory wavetail.420.am:/tmp/cvs-serv22689/FS/FS

Modified Files:
	Mason.pm 
Log Message:
RT#6226: security fix for customer notes

Index: Mason.pm
===================================================================
RCS file: /home/cvs/cvsroot/freeside/FS/FS/Mason.pm,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -w -d -r1.30 -r1.31
--- Mason.pm	23 Mar 2010 03:53:51 -0000	1.30
+++ Mason.pm	25 Mar 2010 01:37:19 -0000	1.31
@@ -70,6 +70,7 @@
   use HTML::Entities;
   use HTML::TreeBuilder;
   use HTML::FormatText;
+  use HTML::Defang;
   use JSON;
   use MIME::Base64;
   use IO::Handle;
@@ -408,6 +409,8 @@
 
 =cut
 
+my %defang_opts = ( attribs_to_callback => ['src'], attribs_callback => sub { 1 });
+
 sub mason_interps {
   my $mode = shift || 'apache';
   my %opt = @_;
@@ -451,6 +454,8 @@
 
   $interp{out_method} = $opt{outbuf} if $mode eq 'standalone' && $opt{outbuf};
 
+  my $html_defang = new HTML::Defang (%defang_opts);
+
   my $fs_interp = new HTML::Mason::Interp (
     %interp,
     escape_flags => { 'js_string' => sub {
@@ -458,7 +463,10 @@
                         ${$_[0]} =~ s/(['\\])/\\$1/g;
                         ${$_[0]} =~ s/\n/\\n/g;
                         ${$_[0]} = "'". ${$_[0]}. "'";
-                      }
+                      },
+                      'defang'    => sub {
+                        ${$_[0]} = $html_defang->defang(${$_[0]});
+                      },
                     },
     compiler     => HTML::Mason::Compiler::ToObject->new(
                       allow_globals        => [qw(%session)],