[freeside-commits] branch FREESIDE_3_BRANCH updated. 6d0042982eec69028b9deef42ab2cd8ae015a077
Mark Wells
mark at 420.am
Wed Jan 28 14:18:54 PST 2015
The branch, FREESIDE_3_BRANCH has been updated
via 6d0042982eec69028b9deef42ab2cd8ae015a077 (commit)
from 23b594474ce15953c71ebd2d849cf7ad67d7f5a5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6d0042982eec69028b9deef42ab2cd8ae015a077
Author: Mark Wells <mark at freeside.biz>
Date: Wed Jan 28 14:18:29 2015 -0800
allow punctuation in tax name on tax report, #33255
diff --git a/FS/FS/Report/Tax.pm b/FS/FS/Report/Tax.pm
index f3f441d..23c1645 100644
--- a/FS/FS/Report/Tax.pm
+++ b/FS/FS/Report/Tax.pm
@@ -41,13 +41,9 @@ sub report_internal {
my ($taxname, $country, %breakdown);
- # purify taxname properly here, as we're going to include it in lots of
- # SQL statements using single quotes only
- if ( $opt{taxname} =~ /^([\w\s]+)$/ ) {
- $taxname = $1;
- } else {
- die "taxname required"; # UI prevents this
- }
+ # taxname can contain arbitrary punctuation; escape it properly and
+ # include $taxname unquoted elsewhere
+ $taxname = dbh->quote($opt{'taxname'});
if ( $opt{country} =~ /^(\w\w)$/ ) {
$country = $1;
@@ -103,7 +99,7 @@ sub report_internal {
GROUP BY billpkgnum, taxnum";
my $where = "WHERE cust_bill._date >= $beginning AND cust_bill._date <= $ending ".
- "AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname' ".
+ "AND COALESCE(cust_main_county.taxname,'Tax') = $taxname ".
"AND cust_main_county.country = '$country'";
# SELECT/GROUP clauses for first-level queries
my $select = "SELECT ";
@@ -370,14 +366,14 @@ sub report_internal {
SELECT 1 FROM cust_tax_exempt_pkg
JOIN cust_main_county USING (taxnum)
WHERE cust_tax_exempt_pkg.billpkgnum = cust_bill_pkg.billpkgnum
- AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+ AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
AND cust_tax_exempt_pkg.creditbillpkgnum IS NULL
)
AND NOT EXISTS(
SELECT 1 FROM cust_bill_pkg_tax_location
JOIN cust_main_county USING (taxnum)
WHERE cust_bill_pkg_tax_location.taxable_billpkgnum = cust_bill_pkg.billpkgnum
- AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+ AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
)
";
warn "\nOUTSIDE:\n$sql_outside\n" if $DEBUG;
diff --git a/httemplate/search/report_tax.cgi b/httemplate/search/report_tax.cgi
index 83f2fc5..491cd42 100644
--- a/httemplate/search/report_tax.cgi
+++ b/httemplate/search/report_tax.cgi
@@ -151,7 +151,7 @@ TD.rowhead { font-weight: bold; text-align: left; padding: 0px 3px }
<% emt('Out of taxable region') %>
</TD>
<TD STYLE="text-align: right">
- <A HREF="<% $saleslink %>;out=1;taxname=<% $params{taxname} %>">
+ <A HREF="<% $saleslink %>;out=1;taxname=<% encode_entities($params{'taxname'}) %>">
<% $money_sprintf->( $report->{outside } ) %>
</A>
</TD>
@@ -188,8 +188,9 @@ if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
$agentname = $agent->agentname;
}
-if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) {
- $params{taxname} = $1;
+# allow anything in here; FS::Report::Tax will treat it as unsafe
+if ( length($cgi->param('taxname')) ) {
+ $params{taxname} = $cgi->param('taxname');
} else {
die "taxname required";
}
-----------------------------------------------------------------------
Summary of changes:
FS/FS/Report/Tax.pm | 16 ++++++----------
httemplate/search/report_tax.cgi | 7 ++++---
2 files changed, 10 insertions(+), 13 deletions(-)
More information about the freeside-commits
mailing list