diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2017-03-06 20:15:32 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2017-03-06 20:15:32 -0800 |
| commit | c8e285347d6f794e9b21ce539dcb0d89c77495fa (patch) | |
| tree | fa571d5d47b189cd4e415d37a51208d2060f8264 | |
| parent | 5e4c25e208146477593465199b2487cc6229eebb (diff) | |
xss
| -rw-r--r-- | httemplate/misc/email-customers.html | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html index b228b7202..981d0e6da 100644 --- a/httemplate/misc/email-customers.html +++ b/httemplate/misc/email-customers.html @@ -67,8 +67,8 @@ from/subject/body cgi params <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% $msg_template->msgnum %>"> % # kludge these through hidden inputs because they're not really part % # of the template, but should be sticky during draft editing - <INPUT TYPE="hidden" NAME="from_name" VALUE="<% $cgi->param('from_name') %>"> - <INPUT TYPE="hidden" NAME="from_addr" VALUE="<% $cgi->param('from_addr') %>"> + <INPUT TYPE="hidden" NAME="from_name" VALUE="<% scalar($cgi->param('from_name')) |h %>"> + <INPUT TYPE="hidden" NAME="from_addr" VALUE="<% scalar($cgi->param('from_addr')) |h %>"> % if ( !$msg_template->disabled ) { <& /elements/tr-td-label.html, 'label' => 'Template:' &> |