4 files changed, 12 insertions, 10 deletions
diff --git a/httemplate/misc/payment.cgi b/httemplate/misc/payment.cgi
index 44904fba6..9e530cf0a 100644
--- a/httemplate/misc/payment.cgi
+++ b/httemplate/misc/payment.cgi
@@ -59,9 +59,8 @@
             <TH><% mt('Exp.') |h %></TH>
             <TD>
               <SELECT NAME="month">
-% for ( ( map "0$_", 1 .. 9 ), 10 .. 12 ) { 
-
-                  <OPTION<% $_ == $month ? ' SELECTED' : '' %>><% $_ %>
+% for ( map{ sprintf('%02d',$_) } (1..12) ) {
+                  <OPTION VALUE="<% $_ %>"<% $_ == $month ? ' SELECTED' : '' %>><% $_ %></OPTION>
 % } 
 
               </SELECT>
@@ -70,8 +69,7 @@
             <TD>
               <SELECT NAME="year">
 % my @a = localtime; for ( $a[5]+1900 .. $a[5]+1915 ) { 
-
-                  <OPTION<% $_ == $year ? ' SELECTED' : '' %>><% $_ %>
+                  <OPTION VALUE="<% $_ %>"<% $_ == $year ? ' SELECTED' : '' %>><% $_ %></OPTION>
 % } 
 
               </SELECT>
diff --git a/httemplate/misc/process/change-password.html b/httemplate/misc/process/change-password.html
index a3e060168..37ad6d915 100644
--- a/httemplate/misc/process/change-password.html
+++ b/httemplate/misc/process/change-password.html
@@ -18,7 +18,7 @@
 	 <% $cgi->redirect($fsurl.'view/svc_acct.cgi?'.$cgi->query_string) %>
 %   }
 %   elsif ($contactnum) { 
-	 <% $cgi->redirect($fsurl.'edit/cust_main-contacts.html?'.$cgi->param('custnum')) %>
+	 <% $cgi->redirect($fsurl.'view/cust_main.cgi?'.$cgi->param('custnum')) %>
 %   }
 % }
 
@@ -34,6 +34,10 @@ my $curuser = $FS::CurrentUser::CurrentUser;
 $cgi->param('svcnum') =~ /^(\d+)$/ or die "illegal svcnum" if $cgi->param('svcnum');
 my $svcnum = $1;
 
+foreach my $prefix (grep /^(.*)(password)$/, $cgi->param) {
+     $cgi->param('password' => $cgi->param($prefix));
+}
+
 $cgi->param('contactnum') =~ /^(\d+)$/ or die "illegal contactnum" if $cgi->param('contactnum');
 my $contactnum = $1;
 
diff --git a/httemplate/misc/process/payment.cgi b/httemplate/misc/process/payment.cgi
index 9458217c1..5f945a71a 100644
--- a/httemplate/misc/process/payment.cgi
+++ b/httemplate/misc/process/payment.cgi
@@ -42,11 +42,11 @@ if ( $cgi->param('fee') =~ /^\s*(\d*(\.\d\d)?)\s*$/ ) {
   $amount = sprintf('%.2f', $amount + $fee);
 }
 
-$cgi->param('year') =~ /^(\d+)$/
+$cgi->param('year') =~ /^(\d{4})/
   or errorpage("illegal year ". $cgi->param('year'));
 my $year = $1;
 
-$cgi->param('month') =~ /^(\d+)$/
+$cgi->param('month') =~ /^(\d{2})/
   or errorpage("illegal month ". $cgi->param('month'));
 my $month = $1;
 
diff --git a/httemplate/misc/xmlhttp-validate_password.html b/httemplate/misc/xmlhttp-validate_password.html
index b340170f8..95f1fd33c 100644
--- a/httemplate/misc/xmlhttp-validate_password.html
+++ b/httemplate/misc/xmlhttp-validate_password.html
@@ -29,14 +29,14 @@ my $validate_password = sub {
   $result{'syserror'} = 'Invoked without password' unless $password;
   return \%result if $result{'syserror'};
 
-  if ($arg{'contactnum'}) {
+  if ($arg{'contactnum'} =~ /^\d+$/) {
     my $contactnum = $arg{'contactnum'};
     $result{'syserror'} = 'Invalid contactnum' unless $contactnum =~ /^\d*$/;
     return \%result if $result{'syserror'};
 
     my $contact = $contactnum 
       ? qsearchs('contact',{'contactnum' => $contactnum})
-      : '';
+      : (new FS::contact {});
 
     $result{'error'} = $contact->is_password_allowed($password);
   }