diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2014-11-18 20:10:45 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2014-11-18 20:10:45 -0800 |
| commit | 7df65c63a5c9ad6b79c60841d0e1eb2a7df520e2 (patch) | |
| tree | 1066975e258a61014432e620d047b4e5a984c737 | |
| parent | 8c2c7b4dc761ce015972444fb9fb8df7e7a9a5a4 (diff) | |
fix time queue redirection after #30921
| -rw-r--r-- | httemplate/misc/process/timeworked.html | 5 | ||||
| -rwxr-xr-x | httemplate/misc/timeworked.html | 5 | ||||
| -rw-r--r-- | httemplate/search/timeworked.html | 6 |
3 files changed, 11 insertions, 5 deletions
diff --git a/httemplate/misc/process/timeworked.html b/httemplate/misc/process/timeworked.html index 200a7511d..01752e1b7 100644 --- a/httemplate/misc/process/timeworked.html +++ b/httemplate/misc/process/timeworked.html @@ -1,7 +1,7 @@ % if ($error) { <% $cgi->redirect(popurl(2). "timeworked.html?". $cgi->query_string) %> % } else { -<% $cgi->redirect(popurl(3). "search/timeworked.html?begin=$begin;end=$end") %> +<% $cgi->redirect(popurl(3). "search/timeworked.html?begin=$begin;end=$end;category=$category") %> % } <%init> @@ -10,6 +10,9 @@ die "access denied" my($begin, $end) = FS::UI::Web::parse_beginning_ending($cgi); +( my $category = $cgi->param('category') ) =~ /^\w*$/ + or die 'illegal category';#no need for nice error messages for XSS, just avoid + my @acct_rt_transaction; foreach my $transaction ( map { /^transactionid(\d+)$/; $1; } grep /^transactionid\d+$/, $cgi->param diff --git a/httemplate/misc/timeworked.html b/httemplate/misc/timeworked.html index e4392825c..a0cf74371 100755 --- a/httemplate/misc/timeworked.html +++ b/httemplate/misc/timeworked.html @@ -82,8 +82,9 @@ <BR> -<INPUT TYPE="hidden" NAME="begin" VALUE="<% $cgi->param('begin') |h %>"> -<INPUT TYPE="hidden" NAME="end" VALUE="<% $cgi->param('end') |h %>"> +<INPUT TYPE="hidden" NAME="begin" VALUE="<% $cgi->param('begin') |h %>"> +<INPUT TYPE="hidden" NAME="end" VALUE="<% $cgi->param('end') |h %>"> +<INPUT TYPE="hidden" NAME="category" VALUE="<% $cgi->param('category') |h %>"> <INPUT TYPE="submit" NAME="submit" VALUE="<% $title %>"> </FORM> diff --git a/httemplate/search/timeworked.html b/httemplate/search/timeworked.html index 3e3ddcbba..12c7da043 100644 --- a/httemplate/search/timeworked.html +++ b/httemplate/search/timeworked.html @@ -1,7 +1,7 @@ <& elements/search.html, 'title' => 'Time Worked', 'name' => 'time', - 'html_form' => qq!<FORM NAME="timeForm" ACTION="${p}misc/timeworked.html" METHOD="POST">!, + 'html_form' => $html_form, 'query' => $query, 'count_query' => $count_query, 'header' => [ '#', @@ -91,10 +91,12 @@ my($begin, $end) = FS::UI::Web::parse_beginning_ending($cgi); $where .= " AND $str2time_sql Transactions.Created $closing >= $begin ". " AND $str2time_sql Transactions.Created $closing <= $end "; +my $html_form = + qq( <FORM NAME="timeForm" ACTION="${p}misc/timeworked.html" METHOD="POST"> ); if ($cgi->param('category') =~ /^(\w+)$/) { $where .= " AND ocfv_TimeType.Content = '$1'"; + $html_form .= qq( <INPUT TYPE="hidden" NAME="category" VALUE="$1"> ); } -warn $where."\n";; my $from = " FROM Transactions |