fix time queue redirection after #30921

author: Ivan Kohler <ivan@freeside.biz> 2014-11-18 20:10:44 -0800
committer: Ivan Kohler <ivan@freeside.biz> 2014-11-18 20:10:44 -0800
commit: e9b2a0d4a388aeb876560aa243d4b9d90ba8c84b (patch)
tree: a26d87679c60412428edd08232960af8d5af0806 /httemplate/misc/process/timeworked.html
parent: 5499e8e571862b071e1b072a017aba16636ea34b (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/httemplate/misc/process/timeworked.html b/httemplate/misc/process/timeworked.html
index 200a7511d..01752e1b7 100644
--- a/httemplate/misc/process/timeworked.html
+++ b/httemplate/misc/process/timeworked.html
@@ -1,7 +1,7 @@
 % if ($error) {
 <% $cgi->redirect(popurl(2). "timeworked.html?". $cgi->query_string) %>
 % } else {
-<% $cgi->redirect(popurl(3). "search/timeworked.html?begin=$begin;end=$end") %>
+<% $cgi->redirect(popurl(3). "search/timeworked.html?begin=$begin;end=$end;category=$category") %>
 % }
 <%init>
 
@@ -10,6 +10,9 @@ die "access denied"
 
 my($begin, $end) = FS::UI::Web::parse_beginning_ending($cgi);
 
+( my $category = $cgi->param('category') ) =~ /^\w*$/
+  or die 'illegal category';#no need for nice error messages for XSS, just avoid
+
 my @acct_rt_transaction;
 foreach my $transaction (
   map { /^transactionid(\d+)$/; $1; } grep /^transactionid\d+$/, $cgi->param
author	Ivan Kohler <ivan@freeside.biz>	2014-11-18 20:10:44 -0800
committer	Ivan Kohler <ivan@freeside.biz>	2014-11-18 20:10:44 -0800
commit	e9b2a0d4a388aeb876560aa243d4b9d90ba8c84b (patch)
tree	a26d87679c60412428edd08232960af8d5af0806 /httemplate/misc/process/timeworked.html
parent	5499e8e571862b071e1b072a017aba16636ea34b (diff)