diff options
| author | Christopher Burger <burgerc@freeside.biz> | 2017-06-08 15:52:50 -0400 |
|---|---|---|
| committer | Christopher Burger <burgerc@freeside.biz> | 2017-06-08 15:52:50 -0400 |
| commit | 8df787434943b1004b478ef594cfa106a719e6f0 (patch) | |
| tree | a9a7ab951dd1d71a847694f1cc2e51f22df6f512 | |
| parent | 6e0f9bf522acce334318adea8ea0b003781f8272 (diff) | |
RT# 73993 - updated ng_selfservice/services.php and ng_selfservice/packages_change.php to only pass one cgi param pkgnum and escaped pkg_label
| -rw-r--r-- | ng_selfservice/packages_change.php | 31 | ||||
| -rw-r--r-- | ng_selfservice/services.php | 4 |
2 files changed, 25 insertions, 10 deletions
diff --git a/ng_selfservice/packages_change.php b/ng_selfservice/packages_change.php index 876f6cd19..20685e884 100644 --- a/ng_selfservice/packages_change.php +++ b/ng_selfservice/packages_change.php @@ -2,24 +2,39 @@ <? $current_menu = 'services.php'; include('elements/menu.php'); ?> <? +$get_params = array( 'pkgnum' ); +foreach ( $get_params AS $param ) { + $params[$param] = $_GET[$param]; +} + $customer_info = $freeside->customer_info_short( array( 'session_id' => $_COOKIE['session_id'], ) ); -foreach ( $cust_pkg AS $pkg ) { - $part_pkg .= $pkg[pkgpart]; - $class_num .= $pkg[classnum]; +$list_pkgs = $freeside->list_pkgs( array( + 'session_id' => $_COOKIE['session_id'], +) ); + +if ( isset($list_pkgs['error']) && $list_pkgs['error'] ) { + $error = $list_pkgs['error']; + header('Location:index.php?error='. urlencode($error)); + die(); } -$get_params = array( 'pkgnum', 'pkg', 'classnum', 'pkgpart' ); -foreach ( $get_params AS $param ) { - $params[$param] = $_GET[$param]; +extract($list_pkgs); + +foreach ( $cust_pkg AS $pkg ) { + if ( $pkg['pkgnum'] == $params['pkgnum'] ) { + $pkg_label = $pkg['pkg_label']; + $pkg_part = $pkg['pkgpart']; + $class_num = $pkg['classnum']; + } } $pkgselect = $freeside->mason_comp( array( 'session_id' => $_COOKIE['session_id'], 'comp' => '/elements/select-part_pkg.html', - 'args' => [ 'classnum', $params['classnum'], 'curr_value', $params['pkgpart'], ], + 'args' => [ 'classnum', $class_num, 'curr_value', $pkg_part, ], ) ); @@ -41,7 +56,7 @@ function enable_change_pkg () { } </SCRIPT> -<FONT SIZE=4>Purchase replacement package for "<? echo $params['pkg']; ?>"</FONT><BR><BR> +<FONT SIZE=4>Purchase replacement package for "<? echo htmlspecialchars($pkg_label); ?>"</FONT><BR><BR> <? include('elements/error.php'); ?> diff --git a/ng_selfservice/services.php b/ng_selfservice/services.php index 987e5826d..b81f5583a 100644 --- a/ng_selfservice/services.php +++ b/ng_selfservice/services.php @@ -33,7 +33,7 @@ extract($list_pkgs); $change_link = ''; if ( in_array("Change packages", $menu_disable) == 0) { - $change_link = '<a href="packages_change.php?pkgnum=' . $pkg['pkgnum'] . '&pkg=' . $pkg['pkg_label'] . '&pkgpart=' . $pkg['pkgpart'] . '&classnum=' . $pkg['classnum'] . '">[change]</a>'; + $change_link = '<a href="packages_change.php?pkgnum=' . $pkg['pkgnum'] . '">[change]</a>'; } ?> <TR> @@ -41,7 +41,7 @@ extract($list_pkgs); </TR> <TR> <? echo $td ?><? echo $change_link ?> </TD> - <? echo $td ?><? echo $pkg['pkg_label']; ?></TD> + <? echo $td ?><? echo htmlspecialchars($pkg['pkg_label']); ?></TD> <? echo $td ?> <FONT COLOR="#<? echo $pkg['statuscolor'] ?>"><B> <? echo ucfirst($pkg['status']); ?> |