diff options
| author | Mark Wells <mark@freeside.biz> | 2015-01-28 14:18:29 -0800 |
|---|---|---|
| committer | Mark Wells <mark@freeside.biz> | 2015-01-28 14:18:29 -0800 |
| commit | 6d0042982eec69028b9deef42ab2cd8ae015a077 (patch) | |
| tree | 3f620b9761bae98fdded6682801fb406b8c22821 /httemplate | |
| parent | 23b594474ce15953c71ebd2d849cf7ad67d7f5a5 (diff) | |
allow punctuation in tax name on tax report, #33255
Diffstat (limited to 'httemplate')
| -rw-r--r-- | httemplate/search/report_tax.cgi | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/httemplate/search/report_tax.cgi b/httemplate/search/report_tax.cgi index 83f2fc5d3..491cd42c5 100644 --- a/httemplate/search/report_tax.cgi +++ b/httemplate/search/report_tax.cgi @@ -151,7 +151,7 @@ TD.rowhead { font-weight: bold; text-align: left; padding: 0px 3px } <% emt('Out of taxable region') %> </TD> <TD STYLE="text-align: right"> - <A HREF="<% $saleslink %>;out=1;taxname=<% $params{taxname} %>"> + <A HREF="<% $saleslink %>;out=1;taxname=<% encode_entities($params{'taxname'}) %>"> <% $money_sprintf->( $report->{outside } ) %> </A> </TD> @@ -188,8 +188,9 @@ if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) { $agentname = $agent->agentname; } -if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) { - $params{taxname} = $1; +# allow anything in here; FS::Report::Tax will treat it as unsafe +if ( length($cgi->param('taxname')) ) { + $params{taxname} = $cgi->param('taxname'); } else { die "taxname required"; } |