diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2015-07-11 23:46:49 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2015-07-11 23:46:49 -0700 |
| commit | ae2a98aa6d846caf5a2d597b0ff7c916ace24a6e (patch) | |
| tree | 02291cac2493e7252e0119690a61104f915f0994 /httemplate/misc/email-customers.html | |
| parent | a0974543bc19678e78971c0182fe4cf4bcce0e9f (diff) | |
secure $cgi->param calls (and include to <& &>)
Diffstat (limited to 'httemplate/misc/email-customers.html')
| -rw-r--r-- | httemplate/misc/email-customers.html | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html index 57f451fdc..09ff93cca 100644 --- a/httemplate/misc/email-customers.html +++ b/httemplate/misc/email-customers.html @@ -51,13 +51,12 @@ should be used to set msgnum or from/subject/html_body cgi params <FONT SIZE="+2">Sending notice</FONT> - <% include('/elements/progress-init.html', + <& /elements/progress-init.html, 'OneTrueForm', [ qw( search table from subject html_body text_body msgnum ) ], $process_url, $pdest, - ) - %> + &> % } elsif ( $cgi->param('action') eq 'preview' ) { @@ -68,7 +67,7 @@ should be used to set msgnum or from/subject/html_body cgi params % if ( $cgi->param('action') ) { <TABLE BGCOLOR="#cccccc" CELLSPACING=0> - <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% $cgi->param('msgnum') %>"> + <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% scalar($cgi->param('msgnum')) %>"> % if ( $msg_template ) { <% include('/elements/tr-fixed.html', @@ -160,12 +159,11 @@ Template: 'size' => 20, &>></TD> - <% include('/elements/tr-input-text.html', + <& /elements/tr-input-text.html, 'field' => 'subject', 'label' => 'Subject:', 'size' => 50, - ) - %> + &> <TR> <TD ALIGN="right" VALIGN="top" STYLE="padding-top:3px">Message: </TD> @@ -193,7 +191,7 @@ Template: </SCRIPT> % } -<% include('/elements/footer.html') %> +<& /elements/footer.html &> <%init> @@ -222,7 +220,7 @@ $pdest->{'url'} = $cgi->param('url') if $url; my %search; if ( $cgi->param('search') ) { - %search = %{ thaw(decode_base64($cgi->param('search'))) }; + %search = %{ thaw(decode_base64( $cgi->param('search') )) }; } else { %search = $cgi->Vars; @@ -267,7 +265,7 @@ if ( $cgi->param('action') eq 'preview' ) { if ( $cgi->param('msgnum') ) { $msg_template = qsearchs('msg_template', - { msgnum => $cgi->param('msgnum') } ) + { msgnum => scalar($cgi->param('msgnum')) } ) or die "template not found: ".$cgi->param('msgnum'); $sql_query->{'extra_sql'} .= ' LIMIT 1'; $sql_query->{'select'} = "$table.*"; |