diff options
| author | Christopher Burger <burgerc@freeside.biz> | 2019-02-26 11:06:33 -0500 |
|---|---|---|
| committer | Christopher Burger <burgerc@freeside.biz> | 2019-02-26 11:06:33 -0500 |
| commit | db257f5b5f5c9e56dbaba19914d3ff9f5be9a4e0 (patch) | |
| tree | b733062f34b4e16c2d694bc1a8a1453bc491d94f | |
| parent | d0a105a296bae50a191424abed78a1ba4f251248 (diff) | |
RT# 82092 - updated escaping html to use encode-entities
| -rwxr-xr-x | FS/FS/part_virtual_field.pm | 10 | ||||
| -rw-r--r-- | httemplate/browse/router.cgi | 6 | ||||
| -rw-r--r-- | httemplate/edit/elements/part_svc_column.html | 2 |
3 files changed, 8 insertions, 10 deletions
diff --git a/FS/FS/part_virtual_field.pm b/FS/FS/part_virtual_field.pm index 63712b763..eae519f6d 100755 --- a/FS/FS/part_virtual_field.pm +++ b/FS/FS/part_virtual_field.pm @@ -2,7 +2,7 @@ package FS::part_virtual_field; use base qw(FS::Record); use strict; -use CGI qw(escapeHTML); +use HTML::Entities; use FS::Schema qw( dbdef ); =head1 NAME @@ -89,14 +89,14 @@ sub widget { if ($ui_type eq 'HTML') { if ($mode eq 'view') { - $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . $label . - q!</!.$header_col_type.q!><TD BGCOLOR="#ffffff">! . $value . + $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . encode_entities($label) . + q!</!.$header_col_type.q!><TD BGCOLOR="#ffffff">! . encode_entities($value) . q!</TD></TR>! . "\n"; } elsif ($mode eq 'edit') { - $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . $label . + $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . encode_entities($label) . q!</!.$header_col_type.q!><TD>!; $text .= q!<INPUT TYPE=text NAME="! . $self->name . - q!" VALUE="! . escapeHTML($value) . q!"!; + q!" VALUE="! . encode_entities($value) . q!"!; if ($self->length) { $text .= q! SIZE="! . $self->length . q!"!; } diff --git a/httemplate/browse/router.cgi b/httemplate/browse/router.cgi index c7713f313..354111875 100644 --- a/httemplate/browse/router.cgi +++ b/httemplate/browse/router.cgi @@ -17,8 +17,6 @@ %> <%init> -use CGI qw(escapeHTML); - die "access denied" unless $FS::CurrentUser::CurrentUser->access_right('Broadband configuration') || $FS::CurrentUser::CurrentUser->access_right('Broadband global configuration'); @@ -50,8 +48,8 @@ my @links = ( [ "${p2}edit/router.cgi?", 'routernum' ], ); foreach (FS::router->virtual_fields_hash) { - push @header_fields, escapeHTML($_->{'label'}); - push @fields, escapeHTML($_->{'name'}); + push @header_fields, encode_entities($_->{'label'}); + push @fields, encode_entities($_->{'name'}); push @links, ''; } diff --git a/httemplate/edit/elements/part_svc_column.html b/httemplate/edit/elements/part_svc_column.html index 075f15e2c..bdbce7c79 100644 --- a/httemplate/edit/elements/part_svc_column.html +++ b/httemplate/edit/elements/part_svc_column.html @@ -97,7 +97,7 @@ my %communigate_fields = ( <TD ROWSPAN=2 CLASS="grid"> <INPUT NAME="<% $svcdb %>__<% $field %>_label" STYLE="text-align: right" - VALUE="<% $part_svc_column->columnlabel || escapeHTML($def->{'label'}) |h %>"> + VALUE="<% $part_svc_column->columnlabel || $def->{'label'} |h %>"> </TD> <TD ROWSPAN=1 CLASS="grid"> |