[freeside-commits] branch master updated. b2101823682f3738f5b367d2c1f2a7c6d47cdad1
Ivan
ivan at 420.am
Sun Nov 11 22:20:22 PST 2012
The branch, master has been updated
via b2101823682f3738f5b367d2c1f2a7c6d47cdad1 (commit)
from f06a0610477b0ba8e1931722c3105b880fbc35c3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b2101823682f3738f5b367d2c1f2a7c6d47cdad1
Author: Ivan Kohler <ivan at freeside.biz>
Date: Sun Nov 11 22:20:19 2012 -0800
fix XSS
diff --git a/FS/FS/UI/Web.pm b/FS/FS/UI/Web.pm
index 1cc539a..c2ea0a6 100644
--- a/FS/FS/UI/Web.pm
+++ b/FS/FS/UI/Web.pm
@@ -3,7 +3,8 @@ package FS::UI::Web;
use strict;
use vars qw($DEBUG @ISA @EXPORT_OK $me);
use Exporter;
-use Carp qw( confess );;
+use Carp qw( confess );
+use HTML::Entities;
use FS::Conf;
use FS::Misc::DateTime qw( parse_datetime );
use FS::Record qw(dbdef);
@@ -383,7 +384,7 @@ sub cust_fields {
map {
if ( $record->custnum ) {
warn " $record -> $_" if $DEBUG > 1;
- $record->$_(@_);
+ encode_entities( $record->$_(@_) );
} else {
warn " ($record unlinked)" if $DEBUG > 1;
$seen_unlinked++ ? '' : '(unlinked)';
diff --git a/httemplate/browse/part_event.html b/httemplate/browse/part_event.html
index c06a14f..62e7ff0 100644
--- a/httemplate/browse/part_event.html
+++ b/httemplate/browse/part_event.html
@@ -47,7 +47,7 @@ my $event_sub = sub {
my $onclick = include('/elements/popup_link_onclick.html',
action => $p.'view/part_event-targets.html?eventpart='.
$part_event->eventpart,
- actionlabel => 'Event query - '.$part_event->event,
+ actionlabel => 'Event query', #no, XSS - '.$part_event->event,
width => 650,
height => 420,
close_text => 'Close',
@@ -55,14 +55,14 @@ my $event_sub = sub {
[#rows
[#subcolumns
{
- 'data' => $part_event->event,
- 'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
+ 'data' => encode_entities($part_event->event),
+ 'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
},
{
- 'data' => ' (query) ',
- 'size' => '-1',
- 'data_style' => 'b',
- 'onclick' => $onclick,
+ 'data' => ' (query) ',
+ 'size' => '-1',
+ 'data_style' => 'b',
+ 'onclick' => $onclick,
},
],
];
diff --git a/httemplate/edit/cust_main/first_pkg/svc_acct.html b/httemplate/edit/cust_main/first_pkg/svc_acct.html
index b1ccc13..717bf50 100644
--- a/httemplate/edit/cust_main/first_pkg/svc_acct.html
+++ b/httemplate/edit/cust_main/first_pkg/svc_acct.html
@@ -5,7 +5,7 @@
<TD>
<INPUT TYPE = "text"
NAME = "username"
- VALUE = "<% $opt{'username'} %>"
+ VALUE = "<% $opt{'username'} |h %>"
SIZE = <% $ulen2 %>
MAXLENGTH = <% $ulen %>
>
@@ -26,7 +26,7 @@
<TD>
<INPUT TYPE = "text"
NAME = "_password"
- VALUE = "<% $opt{'password'} %>"
+ VALUE = "<% $opt{'password'} |h %>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
% unless ( $opt{'password_verify'} ) {
@@ -41,7 +41,7 @@
<TD>
<INPUT TYPE = "text"
NAME = "_password2"
- VALUE = "<% $opt{'password2'} %>"
+ VALUE = "<% $opt{'password2'} |h %>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
</TD>
@@ -51,7 +51,7 @@
% if ( $conf->exists('security_phrase') ) {
<TR>
<TD ALIGN="right"><% mt('Security Phrase') |h %></TD>
- <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} %>">
+ <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} |h %>">
</TD>
</TR>
% } else {
diff --git a/httemplate/index.html b/httemplate/index.html
index 71926aa..bc51e6a 100644
--- a/httemplate/index.html
+++ b/httemplate/index.html
@@ -46,7 +46,7 @@
% next unless $cust_main;
<TR>
- <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name %></A></TD>
+ <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name |h %></A></TD>
</TR>
% if ( $bgcolor eq $bgcolor1 ) {
diff --git a/httemplate/search/cust_main.cgi b/httemplate/search/cust_main.cgi
index 7c3ad33..8e3c813 100755
--- a/httemplate/search/cust_main.cgi
+++ b/httemplate/search/cust_main.cgi
@@ -54,7 +54,7 @@
% my $refcustlabel = "$referral_custnum: " .
% ( $cust_main->company || $cust_main->last. ', '. $cust_main->first );
referrals of
- <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel %></A>
+ <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel |h %></A>
<SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">';
% my $max = 8;
@@ -147,7 +147,7 @@
% $view = $p. 'view/cust_main.cgi?'. $custnum;
% }
% my $pcompany = $company
-% ? qq!<A HREF="$view"><FONT SIZE=-1>$company</FONT></A>!
+% ? qq!<A HREF="$view"><FONT SIZE=-1>!. encode_entities($company). '</FONT></A>'
% : '<FONT SIZE=-1> </FONT>';
%
% my $status = $cust_main->status;
@@ -161,7 +161,7 @@
<FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
- <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" %></FONT></A>
+ <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" |h %></FONT></A>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
<% $pcompany %>
diff --git a/httemplate/search/elements/search-html.html b/httemplate/search/elements/search-html.html
index d7e8128..5c8001f 100644
--- a/httemplate/search/elements/search-html.html
+++ b/httemplate/search/elements/search-html.html
@@ -341,9 +341,9 @@
% $_ =~ /^\d+$/ ) {
% # for the 'straight SQL' case: specify fields
% # by position
-% $row->[$_];
+% encode_entities($row->[$_]);
% } else {
-% $row->$_();
+% encode_entities($row->$_());
% }
% }
% @{$opt{'fields'}}
-----------------------------------------------------------------------
Summary of changes:
FS/FS/UI/Web.pm | 5 +++--
httemplate/browse/part_event.html | 14 +++++++-------
httemplate/edit/cust_main/first_pkg/svc_acct.html | 8 ++++----
httemplate/index.html | 2 +-
httemplate/search/cust_main.cgi | 6 +++---
httemplate/search/elements/search-html.html | 4 ++--
6 files changed, 20 insertions(+), 19 deletions(-)
More information about the freeside-commits
mailing list