summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIvan Kohler <ivan@freeside.biz>2012-11-11 22:34:20 -0800
committerIvan Kohler <ivan@freeside.biz>2012-11-11 22:34:20 -0800
commit4ee7d66497689819f80f29795b93f0ba564141e7 (patch)
tree3ae2bcf04a7a4a04f51491261441c3ddd3f03326
parentb2101823682f3738f5b367d2c1f2a7c6d47cdad1 (diff)
fix XSS
Diffstat
-rw-r--r--FS/FS/ClientAPI/MyAccount.pm3
-rw-r--r--fs_selfservice/FS-SelfService/cgi/change_pkg.html4
2 files changed, 5 insertions, 2 deletions
diff --git a/FS/FS/ClientAPI/MyAccount.pm b/FS/FS/ClientAPI/MyAccount.pm
index 3f7c00432..d07b3834e 100644
--- a/FS/FS/ClientAPI/MyAccount.pm
+++ b/FS/FS/ClientAPI/MyAccount.pm
@@ -2037,6 +2037,9 @@ sub _usage_details {
$p->{ending} = $end;
}
+ die "illegal beginning" if $beginning !~ /^\d*$/;
+ die "illegal ending" if $ending !~ /^\d*$/;
+
my (@usage) = &$callback($svc_x, $p->{beginning}, $p->{ending},
%callback_opt
);
diff --git a/fs_selfservice/FS-SelfService/cgi/change_pkg.html b/fs_selfservice/FS-SelfService/cgi/change_pkg.html
index a841308a5..2d7b488ab 100644
--- a/fs_selfservice/FS-SelfService/cgi/change_pkg.html
+++ b/fs_selfservice/FS-SelfService/cgi/change_pkg.html
@@ -14,8 +14,8 @@ function enable_change_pkg () {
<FORM NAME="ChangePkgForm" ACTION="<%= $selfurl %>" METHOD=POST>
<INPUT TYPE="hidden" NAME="session" VALUE="<%= $session_id %>">
<INPUT TYPE="hidden" NAME="action" VALUE="process_change_pkg">
-<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= $pkgnum %>">
-<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= $pkg %>">
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<%= encode_entities($pkgnum) %>">
+<INPUT TYPE="hidden" NAME="pkg" VALUE="<%= encode_entities($pkg) %>">
<TABLE BGCOLOR="#cccccc" BORDER=0 CELLSPACING=0>
<TR>
<TD COLSPAN=2><SELECT NAME="pkgpart" onChange="enable_change_pkg()">
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-13 09:54:30 +0000