diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2018-11-19 14:43:18 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2018-11-19 14:43:18 -0800 |
| commit | 802d5ba5da8a49c2df8c5c6fda4c06d4ce6ad7fc (patch) | |
| tree | 374f558450562efaf7919f94cd5badd5ee2757d5 | |
| parent | 20319dfaa1c0f3ca4dc4c9685e3582154dcce517 (diff) | |
self-xss, RT#81757
| -rw-r--r-- | fs_selfservice/FS-SelfService/cgi/contact.html | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/fs_selfservice/FS-SelfService/cgi/contact.html b/fs_selfservice/FS-SelfService/cgi/contact.html index 20c15df78..7ae0d4880 100644 --- a/fs_selfservice/FS-SelfService/cgi/contact.html +++ b/fs_selfservice/FS-SelfService/cgi/contact.html @@ -3,22 +3,22 @@ <TR> <TH ALIGN="right"><%=$r%>Contact name<BR>(last, first)</TH> <TD COLSPAN=5> - <INPUT TYPE="text" NAME="<%=$pre%>last" VALUE="<%= ${$pre.'last'} %>" onChange="<%= $onchange %>" <%=$disabled%>> , - <INPUT TYPE="text" NAME="<%=$pre%>first" VALUE="<%= ${$pre.'first'} %>" onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>last" VALUE="<%= encode_entities(${$pre.'last'}) %>" onChange="<%= $onchange %>" <%=$disabled%>> , + <INPUT TYPE="text" NAME="<%=$pre%>first" VALUE="<%= encode_entities(${$pre.'first'}) %>" onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> <TR> <TD ALIGN="right">Company</TD> <TD COLSPAN=7> - <INPUT TYPE="text" NAME="<%=$pre%>company" VALUE="<%= ${$pre.'company'} %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>company" VALUE="<%= encode_entities(${$pre.'company'}) %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> <TR> <TH ALIGN="right"><%=$r%>Address</TH> <TD COLSPAN=7> - <INPUT TYPE="text" NAME="<%=$pre%>address1" VALUE="<%= ${$pre.'address1'} %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>address1" VALUE="<%= encode_entities(${$pre.'address1'}) %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> @@ -37,14 +37,14 @@ %> </TD> <TD COLSPAN=7> - <INPUT TYPE="text" NAME="<%=$pre%>address2" VALUE="<%= ${$pre.'address2'} %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>address2" VALUE="<%= encode_entities(${$pre.'address2'}) %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> <TR> <TH ALIGN="right"><%=$r%>City</TH> <TD> - <INPUT TYPE="text" ID="<%=$pre%>city" NAME="<%=$pre%>city" VALUE="<%= ${$pre.'city'} %>" onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" ID="<%=$pre%>city" NAME="<%=$pre%>city" VALUE="<%= encode_entities(${$pre.'city'}) %>" onChange="<%= $onchange %>" <%=$disabled%>> </TD> <%= ($county_html, $state_html, $country_html) = |