diff options
Diffstat (limited to 'httemplate/misc')
| -rw-r--r-- | httemplate/misc/process/timeworked.html | 5 | ||||
| -rwxr-xr-x | httemplate/misc/timeworked.html | 5 |
2 files changed, 7 insertions, 3 deletions
diff --git a/httemplate/misc/process/timeworked.html b/httemplate/misc/process/timeworked.html index 200a7511d..01752e1b7 100644 --- a/httemplate/misc/process/timeworked.html +++ b/httemplate/misc/process/timeworked.html @@ -1,7 +1,7 @@ % if ($error) { <% $cgi->redirect(popurl(2). "timeworked.html?". $cgi->query_string) %> % } else { -<% $cgi->redirect(popurl(3). "search/timeworked.html?begin=$begin;end=$end") %> +<% $cgi->redirect(popurl(3). "search/timeworked.html?begin=$begin;end=$end;category=$category") %> % } <%init> @@ -10,6 +10,9 @@ die "access denied" my($begin, $end) = FS::UI::Web::parse_beginning_ending($cgi); +( my $category = $cgi->param('category') ) =~ /^\w*$/ + or die 'illegal category';#no need for nice error messages for XSS, just avoid + my @acct_rt_transaction; foreach my $transaction ( map { /^transactionid(\d+)$/; $1; } grep /^transactionid\d+$/, $cgi->param diff --git a/httemplate/misc/timeworked.html b/httemplate/misc/timeworked.html index e4392825c..a0cf74371 100755 --- a/httemplate/misc/timeworked.html +++ b/httemplate/misc/timeworked.html @@ -82,8 +82,9 @@ <BR> -<INPUT TYPE="hidden" NAME="begin" VALUE="<% $cgi->param('begin') |h %>"> -<INPUT TYPE="hidden" NAME="end" VALUE="<% $cgi->param('end') |h %>"> +<INPUT TYPE="hidden" NAME="begin" VALUE="<% $cgi->param('begin') |h %>"> +<INPUT TYPE="hidden" NAME="end" VALUE="<% $cgi->param('end') |h %>"> +<INPUT TYPE="hidden" NAME="category" VALUE="<% $cgi->param('category') |h %>"> <INPUT TYPE="submit" NAME="submit" VALUE="<% $title %>"> </FORM> |