diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2015-07-11 23:44:45 -0700 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2015-07-11 23:44:45 -0700 |
| commit | da63c1a666c4a6ff2ca9ac8a53986f4497252909 (patch) | |
| tree | aadccd2d7dbbd7bd55bd97074e210701c9ec2a62 /httemplate/misc | |
| parent | 990439e2c8c545ea75ba5ded346fd51c4560b805 (diff) | |
secure $cgi->param calls (and include to <& &>)
Diffstat (limited to 'httemplate/misc')
| -rw-r--r-- | httemplate/misc/email-customers.html | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html index 0c90b07e7..d2a39287e 100644 --- a/httemplate/misc/email-customers.html +++ b/httemplate/misc/email-customers.html @@ -50,13 +50,12 @@ should be used to set msgnum or from/subject/html_body cgi params <FONT SIZE="+2">Sending notice</FONT> - <% include('/elements/progress-init.html', + <& /elements/progress-init.html, 'OneTrueForm', [ qw( search table from subject html_body text_body msgnum ) ], $process_url, $pdest, - ) - %> + &> % } elsif ( $cgi->param('action') eq 'preview' ) { @@ -67,29 +66,26 @@ should be used to set msgnum or from/subject/html_body cgi params % if ( $cgi->param('action') ) { <TABLE CLASS="fsinnerbox"> - <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% $cgi->param('msgnum') %>"> + <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% scalar($cgi->param('msgnum')) %>"> % if ( $msg_template ) { - <% include('/elements/tr-fixed.html', + <& /elements/tr-fixed.html, 'label' => 'Template:', 'value' => $msg_template->msgname, - ) - %> + &> % } - <% include('/elements/tr-fixed.html', + <& /elements/tr-fixed.html, 'field' => 'from', 'label' => 'From:', 'value' => scalar( $from ), - ) - %> + &> - <% include('/elements/tr-fixed.html', + <& /elements/tr-fixed.html, 'field' => 'subject', 'label' => 'Subject:', 'value' => scalar( $subject ), - ) - %> + &> <INPUT TYPE="hidden" NAME="html_body" VALUE="<% $html_body |h %>"> <TR><TD COLSPAN=2> </TD></TR> @@ -175,12 +171,11 @@ Template: 'size' => 20, &>></TD> - <% include('/elements/tr-input-text.html', + <& /elements/tr-input-text.html, 'field' => 'subject', 'label' => 'Subject:', 'size' => 50, - ) - %> + &> <TR> <TD ALIGN="right" VALIGN="top" STYLE="padding-top:3px">Message: </TD> @@ -208,7 +203,7 @@ Template: </SCRIPT> % } -<% include('/elements/footer.html') %> +<& /elements/footer.html &> <%init> @@ -237,7 +232,7 @@ $pdest->{'url'} = $cgi->param('url') if $url; my %search; if ( $cgi->param('search') ) { - %search = %{ thaw(decode_base64($cgi->param('search'))) }; + %search = %{ thaw(decode_base64( $cgi->param('search') )) }; } else { %search = $cgi->Vars; @@ -282,7 +277,7 @@ if ( $cgi->param('action') eq 'preview' ) { if ( $cgi->param('msgnum') ) { $msg_template = qsearchs('msg_template', - { msgnum => $cgi->param('msgnum') } ) + { msgnum => scalar($cgi->param('msgnum')) } ) or die "template not found: ".$cgi->param('msgnum'); $sql_query->{'extra_sql'} .= ' LIMIT 1'; $sql_query->{'select'} = "$table.*"; |