diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2018-11-19 14:43:12 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2018-11-19 14:43:12 -0800 |
| commit | b5bce398b1dd80089ec363eb14107645cc5a546f (patch) | |
| tree | 07a9068f02966cbd7b3bb7f1b8b666dfc1e3ab2a /fs_selfservice/FS-SelfService | |
| parent | 12ac7af853e51693f1bc7e49669974b9cd54e9bb (diff) | |
self-xss, RT#81757
Diffstat (limited to 'fs_selfservice/FS-SelfService')
| -rw-r--r-- | fs_selfservice/FS-SelfService/cgi/contact.html | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/fs_selfservice/FS-SelfService/cgi/contact.html b/fs_selfservice/FS-SelfService/cgi/contact.html index 20c15df..7ae0d48 100644 --- a/fs_selfservice/FS-SelfService/cgi/contact.html +++ b/fs_selfservice/FS-SelfService/cgi/contact.html @@ -3,22 +3,22 @@ <TR> <TH ALIGN="right"><%=$r%>Contact name<BR>(last, first)</TH> <TD COLSPAN=5> - <INPUT TYPE="text" NAME="<%=$pre%>last" VALUE="<%= ${$pre.'last'} %>" onChange="<%= $onchange %>" <%=$disabled%>> , - <INPUT TYPE="text" NAME="<%=$pre%>first" VALUE="<%= ${$pre.'first'} %>" onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>last" VALUE="<%= encode_entities(${$pre.'last'}) %>" onChange="<%= $onchange %>" <%=$disabled%>> , + <INPUT TYPE="text" NAME="<%=$pre%>first" VALUE="<%= encode_entities(${$pre.'first'}) %>" onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> <TR> <TD ALIGN="right">Company</TD> <TD COLSPAN=7> - <INPUT TYPE="text" NAME="<%=$pre%>company" VALUE="<%= ${$pre.'company'} %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>company" VALUE="<%= encode_entities(${$pre.'company'}) %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> <TR> <TH ALIGN="right"><%=$r%>Address</TH> <TD COLSPAN=7> - <INPUT TYPE="text" NAME="<%=$pre%>address1" VALUE="<%= ${$pre.'address1'} %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>address1" VALUE="<%= encode_entities(${$pre.'address1'}) %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> @@ -37,14 +37,14 @@ %> </TD> <TD COLSPAN=7> - <INPUT TYPE="text" NAME="<%=$pre%>address2" VALUE="<%= ${$pre.'address2'} %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" NAME="<%=$pre%>address2" VALUE="<%= encode_entities(${$pre.'address2'}) %>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>> </TD> </TR> <TR> <TH ALIGN="right"><%=$r%>City</TH> <TD> - <INPUT TYPE="text" ID="<%=$pre%>city" NAME="<%=$pre%>city" VALUE="<%= ${$pre.'city'} %>" onChange="<%= $onchange %>" <%=$disabled%>> + <INPUT TYPE="text" ID="<%=$pre%>city" NAME="<%=$pre%>city" VALUE="<%= encode_entities(${$pre.'city'}) %>" onChange="<%= $onchange %>" <%=$disabled%>> </TD> <%= ($county_html, $state_html, $country_html) = |