diff options
| author | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 22:20:19 -0800 |
|---|---|---|
| committer | Ivan Kohler <ivan@freeside.biz> | 2012-11-11 22:20:19 -0800 |
| commit | b2101823682f3738f5b367d2c1f2a7c6d47cdad1 (patch) | |
| tree | 861ad1cfbf0db4279ccef14a3a6967376e4751a7 /httemplate/search | |
| parent | f06a0610477b0ba8e1931722c3105b880fbc35c3 (diff) | |
fix XSS
Diffstat (limited to 'httemplate/search')
| -rwxr-xr-x | httemplate/search/cust_main.cgi | 6 | ||||
| -rw-r--r-- | httemplate/search/elements/search-html.html | 4 |
2 files changed, 5 insertions, 5 deletions
diff --git a/httemplate/search/cust_main.cgi b/httemplate/search/cust_main.cgi index 7c3ad3384..8e3c8133e 100755 --- a/httemplate/search/cust_main.cgi +++ b/httemplate/search/cust_main.cgi @@ -54,7 +54,7 @@ % my $refcustlabel = "$referral_custnum: " . % ( $cust_main->company || $cust_main->last. ', '. $cust_main->first ); referrals of - <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel %></A> + <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel |h %></A> <SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">'; % my $max = 8; @@ -147,7 +147,7 @@ % $view = $p. 'view/cust_main.cgi?'. $custnum; % } % my $pcompany = $company -% ? qq!<A HREF="$view"><FONT SIZE=-1>$company</FONT></A>! +% ? qq!<A HREF="$view"><FONT SIZE=-1>!. encode_entities($company). '</FONT></A>' % : '<FONT SIZE=-1> </FONT>'; % % my $status = $cust_main->status; @@ -161,7 +161,7 @@ <FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>> - <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" %></FONT></A> + <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" |h %></FONT></A> </TD> <TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>> <% $pcompany %> diff --git a/httemplate/search/elements/search-html.html b/httemplate/search/elements/search-html.html index d7e81282b..5c8001fad 100644 --- a/httemplate/search/elements/search-html.html +++ b/httemplate/search/elements/search-html.html @@ -341,9 +341,9 @@ % $_ =~ /^\d+$/ ) { % # for the 'straight SQL' case: specify fields % # by position -% $row->[$_]; +% encode_entities($row->[$_]); % } else { -% $row->$_(); +% encode_entities($row->$_()); % } % } % @{$opt{'fields'}} |