diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 23:08:47 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 23:08:47 -0800 |
| commit | 3d18177c158acc492e9322677b11c8089df0fbc0 (patch) | |
| tree | 35aa13c4c6da9181fa2e987d3619132773d047d4 | |
| parent | 4ee7d66497689819f80f29795b93f0ba564141e7 (diff) | |
fix XSS
| -rw-r--r-- | httemplate/edit/cust_main/top_misc.html | 2 | ||||
| -rw-r--r-- | httemplate/elements/dashboard-toplist.html | 2 | ||||
| -rw-r--r-- | httemplate/elements/small_prospect_view.html | 2 | ||||
| -rw-r--r-- | httemplate/misc/cust_main_note-import.cgi | 12 | ||||
| -rw-r--r-- | httemplate/misc/did_order_provision.html | 2 | ||||
| -rw-r--r-- | httemplate/misc/xmlhttp-cust_main-duplicates.html | 6 |
6 files changed, 13 insertions, 13 deletions
diff --git a/httemplate/edit/cust_main/top_misc.html b/httemplate/edit/cust_main/top_misc.html index 7ce283c6c..cfed8e4f6 100644 --- a/httemplate/edit/cust_main/top_misc.html +++ b/httemplate/edit/cust_main/top_misc.html @@ -114,7 +114,7 @@ <TR> <TD ALIGN="right"><% mt('Referring customer') |h %></TD> <TD> - <A HREF="<% popurl(1) %>/cust_main.cgi?<% $cust_main->referral_custnum %>"><% $cust_main->referral_custnum %>: <% $referring_cust_main->name %></A> + <A HREF="<% popurl(1) %>/cust_main.cgi?<% $cust_main->referral_custnum %>"><% $cust_main->referral_custnum %>: <% $referring_cust_main->name |h %></A> </TD> </TR> <INPUT TYPE="hidden" NAME="referral_custnum" VALUE="<% $cust_main->referral_custnum %>"> diff --git a/httemplate/elements/dashboard-toplist.html b/httemplate/elements/dashboard-toplist.html index c6362e0c9..f4a372519 100644 --- a/httemplate/elements/dashboard-toplist.html +++ b/httemplate/elements/dashboard-toplist.html @@ -21,7 +21,7 @@ <TR> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"> - <A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->name %></A> + <A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->name |h %></A> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"> <& /elements/mcp_lint.html, 'cust_main'=>$cust_main &> diff --git a/httemplate/elements/small_prospect_view.html b/httemplate/elements/small_prospect_view.html index 4942e8dc7..26e830bc4 100644 --- a/httemplate/elements/small_prospect_view.html +++ b/httemplate/elements/small_prospect_view.html @@ -1,5 +1,5 @@ % my $link = "${p}view/prospect_main.html?". $prospect_main->prospectnum; -Prospect: <A HREF="<%$link%>"><% $prospect_main->name %></A> +Prospect: <A HREF="<%$link%>"><% $prospect_main->name |h %></A> <%init> my($prospect_main, %opt) = @_; diff --git a/httemplate/misc/cust_main_note-import.cgi b/httemplate/misc/cust_main_note-import.cgi index 72ac556fd..186289517 100644 --- a/httemplate/misc/cust_main_note-import.cgi +++ b/httemplate/misc/cust_main_note-import.cgi @@ -164,7 +164,7 @@ <OPTION VALUE="">---</OPTION> % my $i=0; % foreach (@cust_main) { - <OPTION <% $i ? '' : 'SELECTED' %> VALUE="<% $_->custnum %>"><% $_->name %></OPTION> + <OPTION <% $i ? '' : 'SELECTED' %> VALUE="<% $_->custnum %>"><% $_->name |h %></OPTION> % $i++; % } </SELECT> @@ -172,15 +172,15 @@ var customer_select<% $row %> = document.getElementById("cust_select<% $row %>"); customer_select<% $row %>.onchange = select_customer; </SCRIPT> - <INPUT TYPE="hidden" NAME="name<% $row %>" ID="name<% $row %>" VALUE="<% $i ? $cust_main[0]->name : '' %>"> + <INPUT TYPE="hidden" NAME="name<% $row %>" ID="name<% $row %>" VALUE="<% $i ? $cust_main[0]->name : '' |h %>"> </TD> <TD> - <% $first %> - <INPUT TYPE="hidden" NAME="first<% $row %>" VALUE="<% $first %>"> + <% $first |h %> + <INPUT TYPE="hidden" NAME="first<% $row %>" VALUE="<% $first |h %>"> </TD> <TD> - <% $last %> - <INPUT TYPE="hidden" NAME="last<% $row %>" VALUE="<% $last %>"> + <% $last |h %> + <INPUT TYPE="hidden" NAME="last<% $row %>" VALUE="<% $last |h %>"> </TD> <TD> <% $note %> diff --git a/httemplate/misc/did_order_provision.html b/httemplate/misc/did_order_provision.html index 1df9444ab..8739c1619 100644 --- a/httemplate/misc/did_order_provision.html +++ b/httemplate/misc/did_order_provision.html @@ -21,7 +21,7 @@ % my $avail = keys(%$cust_pkg_phone); % $anyavail = 1 if $avail; <TR> - <TD><% $cust_main->name %></TD> + <TD><% $cust_main->name |h %></TD> <TD> % if ( !$avail ) { No suitable packages exist for this customer. diff --git a/httemplate/misc/xmlhttp-cust_main-duplicates.html b/httemplate/misc/xmlhttp-cust_main-duplicates.html index 6654b3e39..7ee00af66 100644 --- a/httemplate/misc/xmlhttp-cust_main-duplicates.html +++ b/httemplate/misc/xmlhttp-cust_main-duplicates.html @@ -8,9 +8,9 @@ Choose an existing customer <TR> <TD ALIGN="right" VALIGN="top"><B><% $custnum %>: </B></TD> <TD ALIGN="left"> - <% $_->name %>—<B><FONT COLOR="#<%$_->statuscolor%>"><%$_->ucfirst_cust_status%></FONT></B><BR> -<% $_->address1 %><BR> -<% $_->city %>, <% $_->state %> <% $_->zip %> + <% $_->name |h %>—<B><FONT COLOR="#<%$_->statuscolor%>"><%$_->ucfirst_cust_status%></FONT></B><BR> +<% $_->address1 |h %><BR> +<% $_->city |h %>, <% $_->state %> <% $_->zip %> </TD> <TD ALIGN="center"> <INPUT TYPE="radio" NAME="dup_custnum" VALUE="<%$custnum%>"> |