[freeside-commits] branch FREESIDE_2_3_BRANCH updated. ecca16c3680dc94b13150d07b57d597d9f9482fe

Ivan ivan at 420.am
Sun Nov 11 22:20:31 PST 2012


The branch, FREESIDE_2_3_BRANCH has been updated
       via  ecca16c3680dc94b13150d07b57d597d9f9482fe (commit)
      from  4abeb53ac1ba98d441dab810c859c025e7307809 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ecca16c3680dc94b13150d07b57d597d9f9482fe
Author: Ivan Kohler <ivan at freeside.biz>
Date:   Sun Nov 11 22:20:28 2012 -0800

    fix XSS

diff --git a/FS/FS/UI/Web.pm b/FS/FS/UI/Web.pm
index 1cc539a..c2ea0a6 100644
--- a/FS/FS/UI/Web.pm
+++ b/FS/FS/UI/Web.pm
@@ -3,7 +3,8 @@ package FS::UI::Web;
 use strict;
 use vars qw($DEBUG @ISA @EXPORT_OK $me);
 use Exporter;
-use Carp qw( confess );;
+use Carp qw( confess );
+use HTML::Entities;
 use FS::Conf;
 use FS::Misc::DateTime qw( parse_datetime );
 use FS::Record qw(dbdef);
@@ -383,7 +384,7 @@ sub cust_fields {
   map { 
     if ( $record->custnum ) {
       warn "  $record -> $_" if $DEBUG > 1;
-      $record->$_(@_);
+      encode_entities( $record->$_(@_) );
     } else {
       warn "  ($record unlinked)" if $DEBUG > 1;
       $seen_unlinked++ ? '' : '(unlinked)';
diff --git a/httemplate/browse/part_event.html b/httemplate/browse/part_event.html
index c06a14f..62e7ff0 100644
--- a/httemplate/browse/part_event.html
+++ b/httemplate/browse/part_event.html
@@ -47,7 +47,7 @@ my $event_sub = sub {
   my $onclick = include('/elements/popup_link_onclick.html',
     action      => $p.'view/part_event-targets.html?eventpart='.
                     $part_event->eventpart,
-    actionlabel => 'Event query - '.$part_event->event,
+    actionlabel => 'Event query', #no, XSS - '.$part_event->event,
     width       => 650,
     height      => 420,
     close_text  => 'Close',
@@ -55,14 +55,14 @@ my $event_sub = sub {
   [#rows
     [#subcolumns
       {
-        'data' => $part_event->event,
-        'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
+        'data'       => encode_entities($part_event->event),
+        'link'       => $p.'edit/part_event.html?'.$part_event->eventpart,
       },
       {
-        'data' => ' (query) ',
-        'size' => '-1',
-        'data_style'  => 'b',
-        'onclick' => $onclick,
+        'data'       => ' (query) ',
+        'size'       => '-1',
+        'data_style' => 'b',
+        'onclick'    => $onclick,
       },
     ],
   ];
diff --git a/httemplate/edit/cust_main/first_pkg/svc_acct.html b/httemplate/edit/cust_main/first_pkg/svc_acct.html
index b1ccc13..717bf50 100644
--- a/httemplate/edit/cust_main/first_pkg/svc_acct.html
+++ b/httemplate/edit/cust_main/first_pkg/svc_acct.html
@@ -5,7 +5,7 @@
     <TD>
       <INPUT TYPE      = "text"
              NAME      = "username"
-             VALUE     = "<% $opt{'username'} %>"
+             VALUE     = "<% $opt{'username'} |h %>"
              SIZE      = <% $ulen2 %>
              MAXLENGTH = <% $ulen %>
       >
@@ -26,7 +26,7 @@
     <TD>
       <INPUT TYPE      = "text"
              NAME      = "_password"
-             VALUE     = "<% $opt{'password'} %>"
+             VALUE     = "<% $opt{'password'} |h %>"
              SIZE      = <% $pmax2 %>
              MAXLENGTH = <% $passwordmax %>>
 %     unless ( $opt{'password_verify'} ) {
@@ -41,7 +41,7 @@
       <TD>
         <INPUT TYPE      = "text"
                NAME      = "_password2"
-               VALUE     = "<% $opt{'password2'} %>"
+               VALUE     = "<% $opt{'password2'} |h %>"
                SIZE      = <% $pmax2 %>
                MAXLENGTH = <% $passwordmax %>>
       </TD>
@@ -51,7 +51,7 @@
 % if ( $conf->exists('security_phrase') ) {
     <TR>
       <TD ALIGN="right"><% mt('Security Phrase') |h %></TD>
-      <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} %>">
+      <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} |h %>">
       </TD>
     </TR>
 % } else {
diff --git a/httemplate/index.html b/httemplate/index.html
index ae15096..299efdd 100644
--- a/httemplate/index.html
+++ b/httemplate/index.html
@@ -36,7 +36,7 @@
 % next unless $cust_main; 
 
     <TR>
-      <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name %></A></TD>
+      <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name |h %></A></TD>
     </TR>
 
 %       if ( $bgcolor eq $bgcolor1 ) {
diff --git a/httemplate/search/cust_main.cgi b/httemplate/search/cust_main.cgi
index 9d37d21..4504121 100755
--- a/httemplate/search/cust_main.cgi
+++ b/httemplate/search/cust_main.cgi
@@ -54,7 +54,7 @@
 %   my $refcustlabel = "$referral_custnum: " .
 %         ( $cust_main->company || $cust_main->last. ', '. $cust_main->first );
         referrals of
-        <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel %></A>
+        <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel |h %></A>
         <SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">';
 
 %    my $max = 8;
@@ -152,7 +152,7 @@
 %      $view = $p. 'view/cust_main.cgi?'. $custnum;
 %    }
 %    my $pcompany = $company
-%      ? qq!<A HREF="$view"><FONT SIZE=-1>$company</FONT></A>!
+%      ? qq!<A HREF="$view"><FONT SIZE=-1>!. encode_entities($company). '</FONT></A>'
 %      : '<FONT SIZE=-1> </FONT>';
 %    
 %    my $status = $cust_main->status;
@@ -166,7 +166,7 @@
         <FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT>
       </TD>
       <TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
-        <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" %></FONT></A>
+        <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" |h %></FONT></A>
       </TD>
       <TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
         <% $pcompany %>
diff --git a/httemplate/search/elements/search-html.html b/httemplate/search/elements/search-html.html
index b66ee9d..2e36919 100644
--- a/httemplate/search/elements/search-html.html
+++ b/httemplate/search/elements/search-html.html
@@ -338,7 +338,7 @@
 %                             if ( ref($_) eq 'CODE' ) {
 %                               &{$_}($row);
 %                             } else {
-%                               $row->$_();
+%                               encode_entities($row->$_());
 %                             }
 %                           }
 %                       @{$opt{'fields'}}

-----------------------------------------------------------------------

Summary of changes:
 FS/FS/UI/Web.pm                                   |    5 +++--
 httemplate/browse/part_event.html                 |   14 +++++++-------
 httemplate/edit/cust_main/first_pkg/svc_acct.html |    8 ++++----
 httemplate/index.html                             |    2 +-
 httemplate/search/cust_main.cgi                   |    6 +++---
 httemplate/search/elements/search-html.html       |    2 +-
 6 files changed, 19 insertions(+), 18 deletions(-)




More information about the freeside-commits mailing list