[freeside-commits] branch FREESIDE_2_3_BRANCH updated. ecca16c3680dc94b13150d07b57d597d9f9482fe
Ivan
ivan at 420.am
Sun Nov 11 22:20:31 PST 2012
The branch, FREESIDE_2_3_BRANCH has been updated
via ecca16c3680dc94b13150d07b57d597d9f9482fe (commit)
from 4abeb53ac1ba98d441dab810c859c025e7307809 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ecca16c3680dc94b13150d07b57d597d9f9482fe
Author: Ivan Kohler <ivan at freeside.biz>
Date: Sun Nov 11 22:20:28 2012 -0800
fix XSS
diff --git a/FS/FS/UI/Web.pm b/FS/FS/UI/Web.pm
index 1cc539a..c2ea0a6 100644
--- a/FS/FS/UI/Web.pm
+++ b/FS/FS/UI/Web.pm
@@ -3,7 +3,8 @@ package FS::UI::Web;
use strict;
use vars qw($DEBUG @ISA @EXPORT_OK $me);
use Exporter;
-use Carp qw( confess );;
+use Carp qw( confess );
+use HTML::Entities;
use FS::Conf;
use FS::Misc::DateTime qw( parse_datetime );
use FS::Record qw(dbdef);
@@ -383,7 +384,7 @@ sub cust_fields {
map {
if ( $record->custnum ) {
warn " $record -> $_" if $DEBUG > 1;
- $record->$_(@_);
+ encode_entities( $record->$_(@_) );
} else {
warn " ($record unlinked)" if $DEBUG > 1;
$seen_unlinked++ ? '' : '(unlinked)';
diff --git a/httemplate/browse/part_event.html b/httemplate/browse/part_event.html
index c06a14f..62e7ff0 100644
--- a/httemplate/browse/part_event.html
+++ b/httemplate/browse/part_event.html
@@ -47,7 +47,7 @@ my $event_sub = sub {
my $onclick = include('/elements/popup_link_onclick.html',
action => $p.'view/part_event-targets.html?eventpart='.
$part_event->eventpart,
- actionlabel => 'Event query - '.$part_event->event,
+ actionlabel => 'Event query', #no, XSS - '.$part_event->event,
width => 650,
height => 420,
close_text => 'Close',
@@ -55,14 +55,14 @@ my $event_sub = sub {
[#rows
[#subcolumns
{
- 'data' => $part_event->event,
- 'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
+ 'data' => encode_entities($part_event->event),
+ 'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
},
{
- 'data' => ' (query) ',
- 'size' => '-1',
- 'data_style' => 'b',
- 'onclick' => $onclick,
+ 'data' => ' (query) ',
+ 'size' => '-1',
+ 'data_style' => 'b',
+ 'onclick' => $onclick,
},
],
];
diff --git a/httemplate/edit/cust_main/first_pkg/svc_acct.html b/httemplate/edit/cust_main/first_pkg/svc_acct.html
index b1ccc13..717bf50 100644
--- a/httemplate/edit/cust_main/first_pkg/svc_acct.html
+++ b/httemplate/edit/cust_main/first_pkg/svc_acct.html
@@ -5,7 +5,7 @@
<TD>
<INPUT TYPE = "text"
NAME = "username"
- VALUE = "<% $opt{'username'} %>"
+ VALUE = "<% $opt{'username'} |h %>"
SIZE = <% $ulen2 %>
MAXLENGTH = <% $ulen %>
>
@@ -26,7 +26,7 @@
<TD>
<INPUT TYPE = "text"
NAME = "_password"
- VALUE = "<% $opt{'password'} %>"
+ VALUE = "<% $opt{'password'} |h %>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
% unless ( $opt{'password_verify'} ) {
@@ -41,7 +41,7 @@
<TD>
<INPUT TYPE = "text"
NAME = "_password2"
- VALUE = "<% $opt{'password2'} %>"
+ VALUE = "<% $opt{'password2'} |h %>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
</TD>
@@ -51,7 +51,7 @@
% if ( $conf->exists('security_phrase') ) {
<TR>
<TD ALIGN="right"><% mt('Security Phrase') |h %></TD>
- <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} %>">
+ <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} |h %>">
</TD>
</TR>
% } else {
diff --git a/httemplate/index.html b/httemplate/index.html
index ae15096..299efdd 100644
--- a/httemplate/index.html
+++ b/httemplate/index.html
@@ -36,7 +36,7 @@
% next unless $cust_main;
<TR>
- <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name %></A></TD>
+ <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name |h %></A></TD>
</TR>
% if ( $bgcolor eq $bgcolor1 ) {
diff --git a/httemplate/search/cust_main.cgi b/httemplate/search/cust_main.cgi
index 9d37d21..4504121 100755
--- a/httemplate/search/cust_main.cgi
+++ b/httemplate/search/cust_main.cgi
@@ -54,7 +54,7 @@
% my $refcustlabel = "$referral_custnum: " .
% ( $cust_main->company || $cust_main->last. ', '. $cust_main->first );
referrals of
- <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel %></A>
+ <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel |h %></A>
<SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">';
% my $max = 8;
@@ -152,7 +152,7 @@
% $view = $p. 'view/cust_main.cgi?'. $custnum;
% }
% my $pcompany = $company
-% ? qq!<A HREF="$view"><FONT SIZE=-1>$company</FONT></A>!
+% ? qq!<A HREF="$view"><FONT SIZE=-1>!. encode_entities($company). '</FONT></A>'
% : '<FONT SIZE=-1> </FONT>';
%
% my $status = $cust_main->status;
@@ -166,7 +166,7 @@
<FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
- <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" %></FONT></A>
+ <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" |h %></FONT></A>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
<% $pcompany %>
diff --git a/httemplate/search/elements/search-html.html b/httemplate/search/elements/search-html.html
index b66ee9d..2e36919 100644
--- a/httemplate/search/elements/search-html.html
+++ b/httemplate/search/elements/search-html.html
@@ -338,7 +338,7 @@
% if ( ref($_) eq 'CODE' ) {
% &{$_}($row);
% } else {
-% $row->$_();
+% encode_entities($row->$_());
% }
% }
% @{$opt{'fields'}}
-----------------------------------------------------------------------
Summary of changes:
FS/FS/UI/Web.pm | 5 +++--
httemplate/browse/part_event.html | 14 +++++++-------
httemplate/edit/cust_main/first_pkg/svc_acct.html | 8 ++++----
httemplate/index.html | 2 +-
httemplate/search/cust_main.cgi | 6 +++---
httemplate/search/elements/search-html.html | 2 +-
6 files changed, 19 insertions(+), 18 deletions(-)
More information about the freeside-commits
mailing list