diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 22:20:19 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 22:20:19 -0800 |
| commit | b2101823682f3738f5b367d2c1f2a7c6d47cdad1 (patch) | |
| tree | 861ad1cfbf0db4279ccef14a3a6967376e4751a7 | |
| parent | f06a0610477b0ba8e1931722c3105b880fbc35c3 (diff) | |
fix XSS
| -rw-r--r-- | FS/FS/UI/Web.pm | 5 | ||||
| -rw-r--r-- | httemplate/browse/part_event.html | 14 | ||||
| -rw-r--r-- | httemplate/edit/cust_main/first_pkg/svc_acct.html | 8 | ||||
| -rw-r--r-- | httemplate/index.html | 2 | ||||
| -rwxr-xr-x | httemplate/search/cust_main.cgi | 6 | ||||
| -rw-r--r-- | httemplate/search/elements/search-html.html | 4 |
6 files changed, 20 insertions, 19 deletions
diff --git a/FS/FS/UI/Web.pm b/FS/FS/UI/Web.pm index 1cc539a9f..c2ea0a61c 100644 --- a/FS/FS/UI/Web.pm +++ b/FS/FS/UI/Web.pm @@ -3,7 +3,8 @@ package FS::UI::Web; use strict; use vars qw($DEBUG @ISA @EXPORT_OK $me); use Exporter; -use Carp qw( confess );; +use Carp qw( confess ); +use HTML::Entities; use FS::Conf; use FS::Misc::DateTime qw( parse_datetime ); use FS::Record qw(dbdef); @@ -383,7 +384,7 @@ sub cust_fields { map { if ( $record->custnum ) { warn " $record -> $_" if $DEBUG > 1; - $record->$_(@_); + encode_entities( $record->$_(@_) ); } else { warn " ($record unlinked)" if $DEBUG > 1; $seen_unlinked++ ? '' : '(unlinked)'; diff --git a/httemplate/browse/part_event.html b/httemplate/browse/part_event.html index c06a14fe7..62e7ff0d9 100644 --- a/httemplate/browse/part_event.html +++ b/httemplate/browse/part_event.html @@ -47,7 +47,7 @@ my $event_sub = sub { my $onclick = include('/elements/popup_link_onclick.html', action => $p.'view/part_event-targets.html?eventpart='. $part_event->eventpart, - actionlabel => 'Event query - '.$part_event->event, + actionlabel => 'Event query', #no, XSS - '.$part_event->event, width => 650, height => 420, close_text => 'Close', @@ -55,14 +55,14 @@ my $event_sub = sub { [#rows [#subcolumns { - 'data' => $part_event->event, - 'link' => $p.'edit/part_event.html?'.$part_event->eventpart, + 'data' => encode_entities($part_event->event), + 'link' => $p.'edit/part_event.html?'.$part_event->eventpart, }, { - 'data' => ' (query) ', - 'size' => '-1', - 'data_style' => 'b', - 'onclick' => $onclick, + 'data' => ' (query) ', + 'size' => '-1', + 'data_style' => 'b', + 'onclick' => $onclick, }, ], ]; diff --git a/httemplate/edit/cust_main/first_pkg/svc_acct.html b/httemplate/edit/cust_main/first_pkg/svc_acct.html index b1ccc137c..717bf5025 100644 --- a/httemplate/edit/cust_main/first_pkg/svc_acct.html +++ b/httemplate/edit/cust_main/first_pkg/svc_acct.html @@ -5,7 +5,7 @@ <TD> <INPUT TYPE = "text" NAME = "username" - VALUE = "<% $opt{'username'} %>" + VALUE = "<% $opt{'username'} |h %>" SIZE = <% $ulen2 %> MAXLENGTH = <% $ulen %> > @@ -26,7 +26,7 @@ <TD> <INPUT TYPE = "text" NAME = "_password" - VALUE = "<% $opt{'password'} %>" + VALUE = "<% $opt{'password'} |h %>" SIZE = <% $pmax2 %> MAXLENGTH = <% $passwordmax %>> % unless ( $opt{'password_verify'} ) { @@ -41,7 +41,7 @@ <TD> <INPUT TYPE = "text" NAME = "_password2" - VALUE = "<% $opt{'password2'} %>" + VALUE = "<% $opt{'password2'} |h %>" SIZE = <% $pmax2 %> MAXLENGTH = <% $passwordmax %>> </TD> @@ -51,7 +51,7 @@ % if ( $conf->exists('security_phrase') ) { <TR> <TD ALIGN="right"><% mt('Security Phrase') |h %></TD> - <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} %>"> + <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} |h %>"> </TD> </TR> % } else { diff --git a/httemplate/index.html b/httemplate/index.html index 71926aa4e..bc51e6a52 100644 --- a/httemplate/index.html +++ b/httemplate/index.html @@ -46,7 +46,7 @@ % next unless $cust_main; <TR> - <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name %></A></TD> + <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name |h %></A></TD> </TR> % if ( $bgcolor eq $bgcolor1 ) { diff --git a/httemplate/search/cust_main.cgi b/httemplate/search/cust_main.cgi index 7c3ad3384..8e3c8133e 100755 --- a/httemplate/search/cust_main.cgi +++ b/httemplate/search/cust_main.cgi @@ -54,7 +54,7 @@ % my $refcustlabel = "$referral_custnum: " . % ( $cust_main->company || $cust_main->last. ', '. $cust_main->first ); referrals of - <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel %></A> + <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel |h %></A> <SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">'; % my $max = 8; @@ -147,7 +147,7 @@ % $view = $p. 'view/cust_main.cgi?'. $custnum; % } % my $pcompany = $company -% ? qq!<A HREF="$view"><FONT SIZE=-1>$company</FONT></A>! +% ? qq!<A HREF="$view"><FONT SIZE=-1>!. encode_entities($company). '</FONT></A>' % : '<FONT SIZE=-1> </FONT>'; % % my $status = $cust_main->status; @@ -161,7 +161,7 @@ <FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>> - <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" %></FONT></A> + <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" |h %></FONT></A> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>> <% $pcompany %> diff --git a/httemplate/search/elements/search-html.html b/httemplate/search/elements/search-html.html index d7e81282b..5c8001fad 100644 --- a/httemplate/search/elements/search-html.html +++ b/httemplate/search/elements/search-html.html @@ -341,9 +341,9 @@ % $_ =~ /^\d+$/ ) { % # for the 'straight SQL' case: specify fields % # by position -% $row->[$_]; +% encode_entities($row->[$_]); % } else { -% $row->$_(); +% encode_entities($row->$_()); % } % } % @{$opt{'fields'}} |