[freeside-commits] branch master updated. 3d18177c158acc492e9322677b11c8089df0fbc0
Ivan
ivan at 420.am
Sun Nov 11 23:08:50 PST 2012
The branch, master has been updated
via 3d18177c158acc492e9322677b11c8089df0fbc0 (commit)
from 4ee7d66497689819f80f29795b93f0ba564141e7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3d18177c158acc492e9322677b11c8089df0fbc0
Author: Ivan Kohler <ivan at freeside.biz>
Date: Sun Nov 11 23:08:47 2012 -0800
fix XSS
diff --git a/httemplate/edit/cust_main/top_misc.html b/httemplate/edit/cust_main/top_misc.html
index 7ce283c..cfed8e4 100644
--- a/httemplate/edit/cust_main/top_misc.html
+++ b/httemplate/edit/cust_main/top_misc.html
@@ -114,7 +114,7 @@
<TR>
<TD ALIGN="right"><% mt('Referring customer') |h %></TD>
<TD>
- <A HREF="<% popurl(1) %>/cust_main.cgi?<% $cust_main->referral_custnum %>"><% $cust_main->referral_custnum %>: <% $referring_cust_main->name %></A>
+ <A HREF="<% popurl(1) %>/cust_main.cgi?<% $cust_main->referral_custnum %>"><% $cust_main->referral_custnum %>: <% $referring_cust_main->name |h %></A>
</TD>
</TR>
<INPUT TYPE="hidden" NAME="referral_custnum" VALUE="<% $cust_main->referral_custnum %>">
diff --git a/httemplate/elements/dashboard-toplist.html b/httemplate/elements/dashboard-toplist.html
index c6362e0..f4a3725 100644
--- a/httemplate/elements/dashboard-toplist.html
+++ b/httemplate/elements/dashboard-toplist.html
@@ -21,7 +21,7 @@
<TR>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
- <A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->name %></A>
+ <A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->name |h %></A>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
<& /elements/mcp_lint.html, 'cust_main'=>$cust_main &>
diff --git a/httemplate/elements/small_prospect_view.html b/httemplate/elements/small_prospect_view.html
index 4942e8d..26e830b 100644
--- a/httemplate/elements/small_prospect_view.html
+++ b/httemplate/elements/small_prospect_view.html
@@ -1,5 +1,5 @@
% my $link = "${p}view/prospect_main.html?". $prospect_main->prospectnum;
-Prospect: <A HREF="<%$link%>"><% $prospect_main->name %></A>
+Prospect: <A HREF="<%$link%>"><% $prospect_main->name |h %></A>
<%init>
my($prospect_main, %opt) = @_;
diff --git a/httemplate/misc/cust_main_note-import.cgi b/httemplate/misc/cust_main_note-import.cgi
index 72ac556..1862895 100644
--- a/httemplate/misc/cust_main_note-import.cgi
+++ b/httemplate/misc/cust_main_note-import.cgi
@@ -164,7 +164,7 @@
<OPTION VALUE="">---</OPTION>
% my $i=0;
% foreach (@cust_main) {
- <OPTION <% $i ? '' : 'SELECTED' %> VALUE="<% $_->custnum %>"><% $_->name %></OPTION>
+ <OPTION <% $i ? '' : 'SELECTED' %> VALUE="<% $_->custnum %>"><% $_->name |h %></OPTION>
% $i++;
% }
</SELECT>
@@ -172,15 +172,15 @@
var customer_select<% $row %> = document.getElementById("cust_select<% $row %>");
customer_select<% $row %>.onchange = select_customer;
</SCRIPT>
- <INPUT TYPE="hidden" NAME="name<% $row %>" ID="name<% $row %>" VALUE="<% $i ? $cust_main[0]->name : '' %>">
+ <INPUT TYPE="hidden" NAME="name<% $row %>" ID="name<% $row %>" VALUE="<% $i ? $cust_main[0]->name : '' |h %>">
</TD>
<TD>
- <% $first %>
- <INPUT TYPE="hidden" NAME="first<% $row %>" VALUE="<% $first %>">
+ <% $first |h %>
+ <INPUT TYPE="hidden" NAME="first<% $row %>" VALUE="<% $first |h %>">
</TD>
<TD>
- <% $last %>
- <INPUT TYPE="hidden" NAME="last<% $row %>" VALUE="<% $last %>">
+ <% $last |h %>
+ <INPUT TYPE="hidden" NAME="last<% $row %>" VALUE="<% $last |h %>">
</TD>
<TD>
<% $note %>
diff --git a/httemplate/misc/did_order_provision.html b/httemplate/misc/did_order_provision.html
index 1df9444..8739c16 100644
--- a/httemplate/misc/did_order_provision.html
+++ b/httemplate/misc/did_order_provision.html
@@ -21,7 +21,7 @@
% my $avail = keys(%$cust_pkg_phone);
% $anyavail = 1 if $avail;
<TR>
- <TD><% $cust_main->name %></TD>
+ <TD><% $cust_main->name |h %></TD>
<TD>
% if ( !$avail ) {
No suitable packages exist for this customer.
diff --git a/httemplate/misc/xmlhttp-cust_main-duplicates.html b/httemplate/misc/xmlhttp-cust_main-duplicates.html
index 6654b3e..7ee00af 100644
--- a/httemplate/misc/xmlhttp-cust_main-duplicates.html
+++ b/httemplate/misc/xmlhttp-cust_main-duplicates.html
@@ -8,9 +8,9 @@ Choose an existing customer
<TR>
<TD ALIGN="right" VALIGN="top"><B><% $custnum %>: </B></TD>
<TD ALIGN="left">
- <% $_->name %>—<B><FONT COLOR="#<%$_->statuscolor%>"><%$_->ucfirst_cust_status%></FONT></B><BR>
-<% $_->address1 %><BR>
-<% $_->city %>, <% $_->state %> <% $_->zip %>
+ <% $_->name |h %>—<B><FONT COLOR="#<%$_->statuscolor%>"><%$_->ucfirst_cust_status%></FONT></B><BR>
+<% $_->address1 |h %><BR>
+<% $_->city |h %>, <% $_->state %> <% $_->zip %>
</TD>
<TD ALIGN="center">
<INPUT TYPE="radio" NAME="dup_custnum" VALUE="<%$custnum%>">
-----------------------------------------------------------------------
Summary of changes:
httemplate/edit/cust_main/top_misc.html | 2 +-
httemplate/elements/dashboard-toplist.html | 2 +-
httemplate/elements/small_prospect_view.html | 2 +-
httemplate/misc/cust_main_note-import.cgi | 12 ++++++------
httemplate/misc/did_order_provision.html | 2 +-
httemplate/misc/xmlhttp-cust_main-duplicates.html | 6 +++---
6 files changed, 13 insertions(+), 13 deletions(-)
More information about the freeside-commits
mailing list