From 954ed54e8053a3333ca407deb5efcfffb4f28f8d Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Tue, 25 Dec 2007 23:50:19 +0000
Subject: ho ho ho, merry XSSmas

---
 httemplate/misc/batch-cust_pay.html     | 6 +-----
 httemplate/misc/cancel_cust.html        | 5 +----
 httemplate/misc/cancel_pkg.html         | 5 +----
 httemplate/misc/change_pkg.cgi          | 5 +----
 httemplate/misc/process/meta-import.cgi | 4 +++-
 httemplate/misc/recharge_svc.html       | 5 +----
 6 files changed, 8 insertions(+), 22 deletions(-)

(limited to 'httemplate/misc')

diff --git a/httemplate/misc/batch-cust_pay.html b/httemplate/misc/batch-cust_pay.html
index d85f3b6c3..341629ba6 100644
--- a/httemplate/misc/batch-cust_pay.html
+++ b/httemplate/misc/batch-cust_pay.html
@@ -5,12 +5,8 @@
             ( $cgi->param('error') ? '' : 'onload="addRow()"' ),
           )
 %>
-% if ( $cgi->param('error') ) { 
-
-  <FONT SIZE="+1" COLOR="#ff0000"><% $cgi->param('error') %></FONT><BR><BR>
-% } 
-
 
+<% include('/elements/error.html') %>
 
 <FORM ACTION="process/batch-cust_pay.cgi" NAME="OneTrueForm" METHOD="POST" onsubmit="document.OneTrueForm.submit.disabled=true;">
 
diff --git a/httemplate/misc/cancel_cust.html b/httemplate/misc/cancel_cust.html
index 022fc108f..11ade7e15 100644
--- a/httemplate/misc/cancel_cust.html
+++ b/httemplate/misc/cancel_cust.html
@@ -1,9 +1,6 @@
 <% include('/elements/header-popup.html', 'Cancel customer' ) %>
 
-% if ( $cgi->param('error') ) { 
-  <FONT SIZE="+1" COLOR="#ff0000">Error: <% $cgi->param('error') %></FONT>
-  <BR><BR>
-% } 
+<% include('/elements/error.html') %>
 
 <FORM NAME="cust_cancel_popup" ACTION="<% popurl(1) %>cust_main-cancel.cgi" METHOD=POST>
 <INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>">
diff --git a/httemplate/misc/cancel_pkg.html b/httemplate/misc/cancel_pkg.html
index b085d2281..28d0dd912 100755
--- a/httemplate/misc/cancel_pkg.html
+++ b/httemplate/misc/cancel_pkg.html
@@ -9,10 +9,7 @@
 <SCRIPT TYPE="text/javascript" SRC="../elements/calendar-en.js"></SCRIPT>
 <SCRIPT TYPE="text/javascript" SRC="../elements/calendar-setup.js"></SCRIPT>
 
-% if ( $cgi->param('error') ) { 
-  <FONT SIZE="+1" COLOR="#ff0000">Error: <% $cgi->param('error') %></FONT>
-  <BR><BR>
-% } 
+<% include('/elements/error.html') %>
 
 <FORM NAME="sc_popup" ACTION="<% popurl(1) %>process/cancel_pkg.html" METHOD=POST>
 <INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum %>">
diff --git a/httemplate/misc/change_pkg.cgi b/httemplate/misc/change_pkg.cgi
index 4bf15a1fa..7c88876d4 100755
--- a/httemplate/misc/change_pkg.cgi
+++ b/httemplate/misc/change_pkg.cgi
@@ -1,9 +1,6 @@
 <% include('/elements/header-popup.html', "Change Package") %>
 
-% if ( $cgi->param('error') ) {
-  <FONT SIZE="+1" COLOR="#ff0000">Error: <% $cgi->param('error') %></FONT>
-  <BR><BR>
-% }
+<% include('/elements/error.html') %>
 
 <FORM ACTION="<% $p %>edit/process/cust_pkg.cgi" METHOD=POST>
 <INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>">
diff --git a/httemplate/misc/process/meta-import.cgi b/httemplate/misc/process/meta-import.cgi
index 5a97d1160..1cf178c08 100644
--- a/httemplate/misc/process/meta-import.cgi
+++ b/httemplate/misc/process/meta-import.cgi
@@ -182,4 +182,6 @@ function SafeOnsubmit() {
 %  }
 %
 %
-
+<%init>
+die "meta-import script not currently enabled"; #make XSS-safe if this is used for more than just admins to import data....
+</%init>
diff --git a/httemplate/misc/recharge_svc.html b/httemplate/misc/recharge_svc.html
index 634be0600..a3de13d92 100755
--- a/httemplate/misc/recharge_svc.html
+++ b/httemplate/misc/recharge_svc.html
@@ -1,9 +1,6 @@
 <% include('/elements/header-popup.html', 'Recharge Service' ) %>
 
-% if ( $cgi->param('error') ) { 
-  <FONT SIZE="+1" COLOR="#ff0000">Error: <% $cgi->param('error') %></FONT>
-  <BR><BR>
-% } 
+<% include('/elements/error.html') %>
 
 <FORM NAME="recharge_popup" ACTION="<% popurl(1) %>process/recharge_svc.html" METHOD=POST>
 <INPUT TYPE="hidden" NAME="svcnum" VALUE="<% $svcnum %>">
-- 
cgit v1.2.1