2 files changed, 20 insertions, 17 deletions

diff --git a/httemplate/search/report_tax.cgi b/httemplate/search/report_tax.cgi
index 83f2fc5d3..491cd42c5 100644
--- a/httemplate/search/report_tax.cgi
+++ b/httemplate/search/report_tax.cgi
@@ -151,7 +151,7 @@ TD.rowhead { font-weight: bold; text-align: left; padding: 0px 3px }
         <% emt('Out of taxable region') %>
       </TD>
       <TD STYLE="text-align: right">
-        <A HREF="<% $saleslink %>;out=1;taxname=<% $params{taxname} %>">
+        <A HREF="<% $saleslink %>;out=1;taxname=<% encode_entities($params{'taxname'}) %>">
           <% $money_sprintf->( $report->{outside } ) %>
         </A>
       </TD>
@@ -188,8 +188,9 @@ if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
   $agentname = $agent->agentname;
 }
 
-if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) {
-  $params{taxname} = $1;
+# allow anything in here; FS::Report::Tax will treat it as unsafe
+if ( length($cgi->param('taxname')) ) {
+  $params{taxname} = $cgi->param('taxname');
 } else {
   die "taxname required";
 }
diff --git a/httemplate/view/cust_main/packages/services.html b/httemplate/view/cust_main/packages/services.html
index fa193d636..d7644b7de 100644
--- a/httemplate/view/cust_main/packages/services.html
+++ b/httemplate/view/cust_main/packages/services.html
@@ -97,20 +97,7 @@ function clearhint_search_cust_svc(obj, str) {
 %             local $opt{'num_avail'} = $part_svc->num_avail;
               <BR><% svc_provision_link($cust_pkg, $part_svc, \%opt, $curuser) %>
 %           }
-%           if ( 
-%                qsearch({
-%                          'table' => 'did_order',
-%                          'hashref' => { 'custnum' => $cust_pkg->custnum },
-%                          'extra_sql' => ' LIMIT 1'
-%                        })
-%                ||
-%                qsearch({
-%                          'table' => 'did_order_item',
-%                          'hashref' => { 'custnum' => $cust_pkg->custnum },
-%                          'addl_from' => ' INNER JOIN did_order ON did_order_item.ordernum = did_order.ordernum',
-%                          'extra_sql' => ' LIMIT 1'
-%                       })
-%           ) {
+%           if (browse_received_did_inventory($cust_pkg->custnum)) {
               <BR><A HREF="<%$p%>browse/did_order.html?custnum=<%$cust_pkg->custnum%>"><% mt('Browse Received DID Inventory') |h %></A> 
 %           }
 %       }
@@ -183,6 +170,21 @@ sub svc_provision_link {
   $link;
 }
 
+sub browse_received_did_inventory {
+  local($FS::Record::qsearch_qualify_columns) = 1;
+  qsearch({
+    'table' => 'did_order',
+    'hashref' => { 'custnum' => $_[0] },
+    'extra_sql' => ' LIMIT 1'
+  }) ||
+  qsearch({
+    'table' => 'did_order_item',
+    'hashref' => { 'custnum' => $_[0] },
+    'addl_from' => ' INNER JOIN did_order ON did_order_item.ordernum = did_order.ordernum',
+    'extra_sql' => ' LIMIT 1'
+  });
+}
+
 my %hints = (
 svc_acct      => emt('(user or email)'),
 svc_domain    => emt('(domain)'),