[freeside-commits] branch FREESIDE_2_3_BRANCH updated. 4abeb53ac1ba98d441dab810c859c025e7307809

Sun Nov 11 22:18:58 PST 2012

The branch, FREESIDE_2_3_BRANCH has been updated
       via  4abeb53ac1ba98d441dab810c859c025e7307809 (commit)
      from  0ad00ab8a1ae4065a5817638b1ca89d5db6b3831 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4abeb53ac1ba98d441dab810c859c025e7307809
Author: Ivan Kohler <ivan at freeside.biz>
Date:   Sun Nov 11 22:18:55 2012 -0800

    fix XSS

diff --git a/FS/FS/UI/Web/small_custview.pm b/FS/FS/UI/Web/small_custview.pm
index c3d251c..0660038 100644
--- a/FS/FS/UI/Web/small_custview.pm
+++ b/FS/FS/UI/Web/small_custview.pm
@@ -89,14 +89,14 @@ sub small_custview {
 
     $html .= '<TD VALIGN="top">'. ntable("#cccccc",2).
       '<TR><TD ALIGN="right" VALIGN="top">Service<BR>Address</TD><TD BGCOLOR="#ffffff">'.
-      $cust_main->get("${pre}last"). ', '.
-      $cust_main->get("${pre}first"). '<BR>';
-    $html .= $cust_main->get("${pre}company"). '<BR>'
+      encode_entities($cust_main->get("${pre}last")). ', '.
+      encode_entities($cust_main->get("${pre}first")). '<BR>';
+    $html .= encode_entities($cust_main->get("${pre}company")). '<BR>'
       if $cust_main->get("${pre}company");
-    $html .= $cust_main->get("${pre}address1"). '<BR>';
-    $html .= $cust_main->get("${pre}address2"). '<BR>'
+    $html .= encode_entities($cust_main->get("${pre}address1")). '<BR>';
+    $html .= encode_entities($cust_main->get("${pre}address2")). '<BR>'
       if $cust_main->get("${pre}address2");
-    $html .= $cust_main->get("${pre}city"). ', '.
+    $html .= encode_entities($cust_main->get("${pre}city")). ', '.
              $cust_main->get("${pre}state"). '  '.
              $cust_main->get("${pre}zip"). '<BR>';
     $html .= $cust_main->get("${pre}country"). '<BR>'
diff --git a/httemplate/elements/location.html b/httemplate/elements/location.html
index c606523..a0c5644 100644
--- a/httemplate/elements/location.html
+++ b/httemplate/elements/location.html
@@ -214,7 +214,7 @@ Example:
     <TR>
       <<%$th%> ALIGN="right">Tax district<BR>(automatic)</<%$th%>>
       <TD>
-        <INPUT TYPE="text" NAME="district" VALUE="<%$object->get('district')%>">
+        <INPUT TYPE="text" NAME="district" VALUE="<% $object->get('district') |h %>">
       </TD>
     </TR>
 %   }

-----------------------------------------------------------------------

Summary of changes:
 FS/FS/UI/Web/small_custview.pm    |   12 ++++++------
 httemplate/elements/location.html |    2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)


