diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2012-12-08 11:07:04 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2012-12-08 11:07:04 -0800 |
| commit | 786beb09ecbf02c572ca01c61353e163f0637dbd (patch) | |
| tree | 1255f336e54bc4be5abd9e9d6e0bece5e279e311 | |
| parent | fd4322f01b8c53b3f1f9e54ca15184930b0443de (diff) | |
fix part_pkg.comment xss
| -rwxr-xr-x | httemplate/browse/agent_type.cgi | 4 | ||||
| -rwxr-xr-x | httemplate/edit/agent_type.cgi | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/httemplate/browse/agent_type.cgi b/httemplate/browse/agent_type.cgi index 1959302d2..7711dccf7 100755 --- a/httemplate/browse/agent_type.cgi +++ b/httemplate/browse/agent_type.cgi @@ -44,9 +44,9 @@ my $agent_type = shift; [ { #'data' => $part_pkg->pkg. ' - '. $part_pkg->comment, - 'data' => $type_pkgs->pkg. ' - '. + 'data' => encode_entities($type_pkgs->pkg). ' - '. ( $type_pkgs->custom ? '(CUSTOM) ' : '' ). - $type_pkgs->comment, + encode_entities($type_pkgs->comment), 'align' => 'left', 'link' => $p. 'edit/part_pkg.cgi?'. $type_pkgs->pkgpart, }, diff --git a/httemplate/edit/agent_type.cgi b/httemplate/edit/agent_type.cgi index 8a6fbc255..b75757fb1 100755 --- a/httemplate/edit/agent_type.cgi +++ b/httemplate/edit/agent_type.cgi @@ -20,7 +20,7 @@ Select which packages agents of this type may sell to customers<BR> 'source_obj' => $agent_type, 'link_table' => 'type_pkgs', 'target_table' => 'part_pkg', - 'name_callback' => sub { $_[0]->pkg_comment(nopkgpart => 1); }, + 'name_callback' => sub { encode_entities( $_[0]->pkg_comment(nopkgpart => 1) ); }, 'target_link' => $p.'edit/part_pkg.cgi?', 'disable-able' => 1, |