Merge branch 'xss_fixes' of https://github.com/mcreenan/Freeside

[freeside.git] / FS / FS / UI / Web.pm

diff --git a/FS/FS/UI/Web.pm b/FS/FS/UI/Web.pm
index 91d2034..c8ad430 100644 (file)
--- a/FS/FS/UI/Web.pm
+++ b/FS/FS/UI/Web.pm
@@ -6,7 +6,7 @@ use Exporter;
 use Carp qw( confess );
 use HTML::Entities;
 use FS::Conf;
 use Carp qw( confess );
 use HTML::Entities;
 use FS::Conf;

-use FS::Misc::DateTime qw( parse_datetime );
+use FS::Misc::DateTime qw( parse_datetime day_end );

 use FS::Record qw(dbdef);
 use FS::cust_main;  # are sql_balance and sql_date_balance in the right module?
 
 use FS::Record qw(dbdef);
 use FS::cust_main;  # are sql_balance and sql_date_balance in the right module?
 


@@ -32,16 +32,16 @@ sub parse_beginning_ending {
   my $beginning = 0;
   if ( $cgi->param($prefix.'begin') =~ /^(\d+)$/ ) {
     $beginning = $1;
   my $beginning = 0;
   if ( $cgi->param($prefix.'begin') =~ /^(\d+)$/ ) {
     $beginning = $1;

-  } elsif ( $cgi->param($prefix.'beginning') =~ /^([ 0-9\-\/]{1,64})$/ ) {
+  } elsif ( $cgi->param($prefix.'beginning') =~ /^([ 0-9\-\/\:]{1,64})$/ ) {

     $beginning = parse_datetime($1) || 0;
   }
 
   my $ending = 4294967295; #2^32-1
   if ( $cgi->param($prefix.'end') =~ /^(\d+)$/ ) {
     $ending = $1 - 1;
     $beginning = parse_datetime($1) || 0;
   }
 
   my $ending = 4294967295; #2^32-1
   if ( $cgi->param($prefix.'end') =~ /^(\d+)$/ ) {
     $ending = $1 - 1;

-  } elsif ( $cgi->param($prefix.'ending') =~ /^([ 0-9\-\/]{1,64})$/ ) {
-    #probably need an option to turn off the + 86399
-    $ending = parse_datetime($1) + 86399;
+  } elsif ( $cgi->param($prefix.'ending') =~ /^([ 0-9\-\/\:]{1,64})$/ ) {
+    $ending = parse_datetime($1);
+    $ending = day_end($ending) unless $ending =~ /:/;

   }
 
   ( $beginning, $ending );
   }
 
   ( $beginning, $ending );


@@ -378,6 +378,9 @@ Otherwise, this function will assume the field is named "custnum".  If the
 argument isn't present at all, the join will just say "USING (custnum)", 
 which might work.
 
 argument isn't present at all, the join will just say "USING (custnum)", 
 which might work.
 

+As a special case, if TABLE is 'cust_main', only the joins to cust_location
+will be returned.
+

 LOCATION_TABLE is an optional table name to use for joining ship_location,
 in case your query also includes package information and you want the 
 "service address" columns to reflect package addresses.
 LOCATION_TABLE is an optional table name to use for joining ship_location,
 in case your query also includes package information and you want the 
 "service address" columns to reflect package addresses.


@@ -392,11 +395,12 @@ sub join_cust_main {
   ($location_table, $locationnum) = split(/\./, $location_table);
   $locationnum ||= 'locationnum';
 
   ($location_table, $locationnum) = split(/\./, $location_table);
   $locationnum ||= 'locationnum';
 

-  my $sql = ' LEFT JOIN cust_main ';
+  my $sql = '';

   if ( $cust_table ) {
   if ( $cust_table ) {

-    $sql .= "ON (cust_main.custnum = $cust_table.$custnum)";
+    $sql = " LEFT JOIN cust_main ON (cust_main.custnum = $cust_table.$custnum)"
+      unless $cust_table eq 'cust_main';

   } else {
   } else {

-    $sql .= "USING (custnum)";
+    $sql = " LEFT JOIN cust_main USING (custnum)";

   }
 
   if ( !@cust_fields or grep /^bill_/, @cust_fields ) {
   }
 
   if ( !@cust_fields or grep /^bill_/, @cust_fields ) {


@@ -468,23 +472,26 @@ sub cust_fields_subs {
   my $unlinked_warn = 0;
   return map { 
     my $f = $_;
   my $unlinked_warn = 0;
   return map { 
     my $f = $_;

-    if( $unlinked_warn++ ) {
+    if ( $unlinked_warn++ ) {
+

       sub {
         my $record = shift;
       sub {
         my $record = shift;

-        if( $record->custnum ) {
-          $record->$f(@_);
-        }
-        else {
+        if ( $record->custnum ) {
+          encode_entities( $record->$f(@_) );
+        } else {

           '(unlinked)'
         };
           '(unlinked)'
         };

-      }
-    } 
-    else {
+      };
+
+    } else {
+

       sub {
         my $record = shift;
       sub {
         my $record = shift;

-        $record->$f(@_) if $record->custnum;
-      }
+        $record->custnum ? encode_entities( $record->$f(@_) ) : '';
+      };
+

     }
     }

+

   } @cust_fields;
 }
 
   } @cust_fields;
 }
 


@@ -574,7 +581,7 @@ use vars qw($DEBUG);
 use Carp;
 use Storable qw(nfreeze);
 use MIME::Base64;
 use Carp;
 use Storable qw(nfreeze);
 use MIME::Base64;

-use JSON;
+use JSON::XS;

 use FS::UID qw(getotaker);
 use FS::Record qw(qsearchs);
 use FS::queue;
 use FS::UID qw(getotaker);
 use FS::Record qw(qsearchs);
 use FS::queue;


@@ -719,10 +726,7 @@ sub job_status {
     @return = ( 'error', $job ? $job->statustext : $jobnum );
   }
 
     @return = ( 'error', $job ? $job->statustext : $jobnum );
   }
 

-  #to_json(\@return);  #waiting on deb 5.0 for new JSON.pm?
-  #silence the warning though
-  my $to_json = JSON->can('to_json') || JSON->can('objToJson');
-  &$to_json(\@return);
+  encode_json \@return;

 
 }
 
 
 }