diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 22:34:22 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 22:34:22 -0800 |
| commit | 1b0e3600f2004f0977c9906b3f7db56f3ca80f5d (patch) | |
| tree | fbfe999b307ce7ffe1a4db86052e14c0267b3439 | |
| parent | ecca16c3680dc94b13150d07b57d597d9f9482fe (diff) | |
fix XSS
| -rw-r--r-- | FS/FS/ClientAPI/MyAccount.pm | 3 | ||||
| -rw-r--r-- | fs_selfservice/FS-SelfService/cgi/change_pkg.html | 4 |
2 files changed, 5 insertions, 2 deletions
diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm index 7fe00e65b..d5fe15483 100644 --- a/FS/FS/ClientAPI/MyAccount.pm +++ b/FS/FS/ClientAPI/MyAccount.pm @@ -2004,6 +2004,9 @@ sub _usage_details { $p->{ending} = $end; } + die "illegal beginning" if $beginning !~ /^\d*$/; + die "illegal ending" if $ending !~ /^\d*$/; + my (@usage) = &$callback($svc_x, $p->{beginning}, $p->{ending}, %callback_opt ); diff --git a/fs_selfservice/FS-SelfService/cgi/change_pkg.html b/fs_selfservice/FS-SelfService/cgi/change_pkg.html index a841308a5..2d7b488ab 100644 --- a/fs_selfservice/FS-SelfService/cgi/change_pkg.html +++ b/fs_selfservice/FS-SelfService/cgi/change_pkg.html @@ -14,8 +14,8 @@ function enable_change_pkg () { <FORM NAME="ChangePkgForm" ACTION="<%= $selfurl %>" METHOD=POST> <INPUT TYPE="hidden" NAME="session" VALUE="<%= $session_id %>"> <INPUT TYPE="hidden" NAME="action" VALUE="process_change_pkg"> -<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= $pkgnum %>"> -<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= $pkg %>"> +<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= encode_entities($pkgnum) %>"> +<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= encode_entities($pkg) %>"> <TABLE BGCOLOR="#cccccc" BORDER=0 CELLSPACING=0> <TR> <TD COLSPAN=2><SELECT NAME="pkgpart" onChange="enable_change_pkg()"> |