[freeside-commits] branch FREESIDE_3_BRANCH updated. ae2a98aa6d846caf5a2d597b0ff7c916ace24a6e

Ivan ivan at 420.am
Sat Jul 11 23:46:52 PDT 2015 

The branch, FREESIDE_3_BRANCH has been updated
       via  ae2a98aa6d846caf5a2d597b0ff7c916ace24a6e (commit)
      from  a0974543bc19678e78971c0182fe4cf4bcce0e9f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ae2a98aa6d846caf5a2d597b0ff7c916ace24a6e
Author: Ivan Kohler <ivan at freeside.biz>
Date:   Sat Jul 11 23:46:49 2015 -0700

    secure $cgi->param calls (and include to <& &>)

diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html
index 57f451f..09ff93c 100644
--- a/httemplate/misc/email-customers.html
+++ b/httemplate/misc/email-customers.html
@@ -51,13 +51,12 @@ should be used to set msgnum or from/subject/html_body cgi params
 
     <FONT SIZE="+2">Sending notice</FONT>
 
-    <% include('/elements/progress-init.html',
+    <& /elements/progress-init.html,
                  'OneTrueForm',
                  [ qw( search table from subject html_body text_body msgnum ) ],
                  $process_url,
                  $pdest,
-              )
-    %>
+    &>
 
 % } elsif ( $cgi->param('action') eq 'preview' ) {
 
@@ -68,7 +67,7 @@ should be used to set msgnum or from/subject/html_body cgi params
 % if ( $cgi->param('action') ) {
 
     <TABLE BGCOLOR="#cccccc" CELLSPACING=0>
-    <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% $cgi->param('msgnum') %>">
+    <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% scalar($cgi->param('msgnum')) %>">
 
 %   if ( $msg_template ) {
       <% include('/elements/tr-fixed.html',
@@ -160,12 +159,11 @@ Template:
               'size'  => 20,
           &>></TD>
  
-    <% include('/elements/tr-input-text.html',
+    <& /elements/tr-input-text.html,
                  'field' => 'subject',
                  'label' => 'Subject:',
                  'size'  => 50,
-              )
-    %>
+    &>
 
     <TR>
       <TD ALIGN="right" VALIGN="top" STYLE="padding-top:3px">Message: </TD>
@@ -193,7 +191,7 @@ Template:
     </SCRIPT>
 % }
 
-<% include('/elements/footer.html') %>
+<& /elements/footer.html &>
 
 <%init>
 
@@ -222,7 +220,7 @@ $pdest->{'url'} = $cgi->param('url') if $url;
 
 my %search;
 if ( $cgi->param('search') ) {
-  %search = %{ thaw(decode_base64($cgi->param('search'))) };
+  %search = %{ thaw(decode_base64( $cgi->param('search') )) };
 }
 else {
   %search = $cgi->Vars;
@@ -267,7 +265,7 @@ if ( $cgi->param('action') eq 'preview' ) {
 
   if ( $cgi->param('msgnum') ) {
     $msg_template = qsearchs('msg_template', 
-                             { msgnum => $cgi->param('msgnum') } )
+                             { msgnum => scalar($cgi->param('msgnum')) } )
         or die "template not found: ".$cgi->param('msgnum');
     $sql_query->{'extra_sql'} .= ' LIMIT 1';
     $sql_query->{'select'} = "$table.*";

-----------------------------------------------------------------------

Summary of changes:
 httemplate/misc/email-customers.html |   18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

More information about the freeside-commits mailing list