From b70b0d8c6f571a68ffb60c5ca728a230926abee4 Mon Sep 17 00:00:00 2001
From: Mark Wells <mark@freeside.biz>
Date: Sat, 12 Jan 2013 12:03:16 -0800
Subject: supplemental packages, #20689

---
 httemplate/edit/cust_pkg.cgi | 36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

(limited to 'httemplate/edit/cust_pkg.cgi')

diff --git a/httemplate/edit/cust_pkg.cgi b/httemplate/edit/cust_pkg.cgi
index dd1ed335f..88e925460 100755
--- a/httemplate/edit/cust_pkg.cgi
+++ b/httemplate/edit/cust_pkg.cgi
@@ -7,7 +7,6 @@
 <INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>">
 
 %#current packages
-%my @cust_pkg = qsearch('cust_pkg', { 'custnum' => $custnum, 'cancel' => '' } );
 %if (@cust_pkg) {
 
   Current packages - select to remove (services are moved to a new package below)
@@ -18,13 +17,7 @@
     </TR>
   <BR><BR>
 %
-%
-%  foreach ( sort {     $all_pkg{ $a->getfield('pkgpart') }
-%                   cmp $all_pkg{ $b->getfield('pkgpart') }
-%                 }
-%                 @cust_pkg
-%          )
-%  {
+%  foreach ( @main_pkgs ) {
 %    my($pkgnum,$pkgpart)=( $_->getfield('pkgnum'), $_->getfield('pkgpart') );
 %    my $checked = $remove_pkg{$pkgnum} ? ' CHECKED' : '';
 %
@@ -36,6 +29,13 @@
       <TD ALIGN="right"><% $pkgnum %>:</TD>
       <TD><% $all_pkg{$pkgpart} %> - <% $all_comment{$pkgpart} %></TD>
     </TR>
+%   foreach my $supp_pkg ( @{ $supp_pkgs_of{$pkgnum} } ) {
+    <TR>
+      <TD></TD>
+      <TD></TD>
+      <TD>+ <% $all_pkg{$supp_pkg->pkgpart} %> - <% $all_comment{$supp_pkg->pkgpart} %></TD>
+    </TR>
+%   }
 % } 
 
 
@@ -147,4 +147,24 @@ if ( $cgi->param('error') ) {
 
 my $p1 = popurl(1);
 
+my @cust_pkg = qsearch('cust_pkg', { 'custnum' => $custnum, 'cancel' => '' } );
+my @main_pkgs;
+my %supp_pkgs_of; # main pkgnum => arrayref of cust_pkgs
+
+
+foreach my $cust_pkg
+  ( sort { $all_pkg{ $a->pkgpart } cmp $all_pkg{ $b->getfield('pkgpart') } }
+    @cust_pkg
+  )
+  # XXX does not properly handle recursive supplemental links
+{
+  if ( my $main_pkgnum = $cust_pkg->main_pkgnum ) {
+    $supp_pkgs_of{$main_pkgnum} ||= [];
+    push @{ $supp_pkgs_of{$main_pkgnum} }, $cust_pkg;
+  } else {
+    push @main_pkgs, $cust_pkg;
+    $supp_pkgs_of{$cust_pkg->pkgnum} ||= [];
+  }
+}
+
 </%init>
-- 
cgit v1.2.1


From 169aa0275e0fda1e3c8dc459091cc16d403f72b4 Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Sat, 1 Jun 2013 02:26:16 -0700
Subject: fix XSS

---
 httemplate/edit/cust_pkg.cgi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'httemplate/edit/cust_pkg.cgi')

diff --git a/httemplate/edit/cust_pkg.cgi b/httemplate/edit/cust_pkg.cgi
index 88e925460..d86049940 100755
--- a/httemplate/edit/cust_pkg.cgi
+++ b/httemplate/edit/cust_pkg.cgi
@@ -27,13 +27,13 @@
     <TR>
       <TD><INPUT TYPE="checkbox" NAME="remove_pkg" VALUE="<% $pkgnum %>"<% $checked %>></TD>
       <TD ALIGN="right"><% $pkgnum %>:</TD>
-      <TD><% $all_pkg{$pkgpart} %> - <% $all_comment{$pkgpart} %></TD>
+      <TD><% $all_pkg{$pkgpart} |h %> - <% $all_comment{$pkgpart} |h %></TD>
     </TR>
 %   foreach my $supp_pkg ( @{ $supp_pkgs_of{$pkgnum} } ) {
     <TR>
       <TD></TD>
       <TD></TD>
-      <TD>+ <% $all_pkg{$supp_pkg->pkgpart} %> - <% $all_comment{$supp_pkg->pkgpart} %></TD>
+      <TD>+ <% $all_pkg{$supp_pkg->pkgpart} |h %> - <% $all_comment{$supp_pkg->pkgpart} |h %></TD>
     </TR>
 %   }
 % } 
@@ -79,7 +79,7 @@ Order new packages
       <INPUT TYPE="text" NAME="<% "pkg$pkgpart" %>" VALUE="<% $value %>" SIZE="2" MAXLENGTH="2">
     </TD>
     <TD ALIGN="right"><% $pkgpart %>:</TD>
-    <TD><% $pkg{$pkgpart} %> - <% $comment{$pkgpart}%></TD>
+    <TD><% $pkg{$pkgpart} |h %> - <% $comment{$pkgpart} |h %></TD>
   </TR>
 %
 %  $count ++ ;
-- 
cgit v1.2.1