diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2013-04-11 18:10:13 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2013-04-11 18:10:13 -0700 |
| commit | 0040c5d4586541fc06b53774bfeac61cd1958a9f (patch) | |
| tree | 4f3fff860cd380d19cdea4db7c0a260b3b3d43e8 | |
| parent | f4a34aeb6730e6a07ce1ca3562a1f2c704bb92bf (diff) | |
fix XSS
| -rw-r--r-- | FS/FS/UI/Web.pm | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/FS/FS/UI/Web.pm b/FS/FS/UI/Web.pm index 22b445690..59e59d442 100644 --- a/FS/FS/UI/Web.pm +++ b/FS/FS/UI/Web.pm @@ -404,23 +404,26 @@ sub cust_fields_subs { my $unlinked_warn = 0; return map { my $f = $_; - if( $unlinked_warn++ ) { + if ( $unlinked_warn++ ) { + sub { my $record = shift; - if( $record->custnum ) { - $record->$f(@_); - } - else { + if ( $record->custnum ) { + encode_entities( $record->$f(@_) ); + } else { '(unlinked)' }; - } - } - else { + }; + + } else { + sub { my $record = shift; - $record->$f(@_) if $record->custnum; - } + $record->custnum ? encode_entities( $record->$f(@_) ) : ''; + }; + } + } @cust_fields; } |