diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2013-06-18 15:26:26 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2013-06-18 15:26:26 -0700 |
| commit | 28de2695cb889d0dc3d1b3425582f069643edcd9 (patch) | |
| tree | 1c075cd6acefdfdbdf51efa5265e9e6daf5a8ba4 | |
| parent | 4658140057dc70393cf057af334b0eb810bd0e1a (diff) | |
fix XSS
| -rw-r--r-- | httemplate/view/elements/svc_Common.html | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/httemplate/view/elements/svc_Common.html b/httemplate/view/elements/svc_Common.html index de01c3d55..2d1201b51 100644 --- a/httemplate/view/elements/svc_Common.html +++ b/httemplate/view/elements/svc_Common.html @@ -63,11 +63,13 @@ function areyousure(href) { % if ( ref($f) ) { % $field = $f->{'field'}; % $hack_strict_refs = \&{ $f->{'value'} } if $f->{'value'}; -% $value = $f->{'value'} ? &$hack_strict_refs($svc_x) : $svc_x->$field; +% $value = $f->{'value'} +% ? &$hack_strict_refs($svc_x) +% : encode_entities($svc_x->$field); % $type = $f->{'type'} || 'text'; % } else { % $field = $f; -% $value = $svc_x->$field; +% $value = encode_entities($svc_x->$field); % $type = 'text'; % } % |