fix XSS

[freeside.git] / httemplate / edit / cust_pkg.cgi

diff --git a/httemplate/edit/cust_pkg.cgi b/httemplate/edit/cust_pkg.cgi
index ecc2119..e6a7d4b 100755 (executable)
--- a/httemplate/edit/cust_pkg.cgi
+++ b/httemplate/edit/cust_pkg.cgi
@@ -3,15 +3,12 @@
 <% include('/elements/error.html') %>
 
 <FORM ACTION="<% $p1 %>process/cust_pkg.cgi" METHOD=POST>
-
+<INPUT TYPE="hidden" NAME="action" VALUE="bulk">
 <INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>">
-%
+
 %#current packages
 %my @cust_pkg = qsearch('cust_pkg', { 'custnum' => $custnum, 'cancel' => '' } );
-%
 %if (@cust_pkg) {
-%
-
 
   Current packages - select to remove (services are moved to a new package below)
   <TABLE>
@@ -37,7 +34,7 @@
     <TR>
       <TD><INPUT TYPE="checkbox" NAME="remove_pkg" VALUE="<% $pkgnum %>"<% $checked %>></TD>
       <TD ALIGN="right"><% $pkgnum %>:</TD>
-      <TD><% $all_pkg{$pkgpart} %> - <% $all_comment{$pkgpart} %></TD>
+      <TD><% $all_pkg{$pkgpart} |h %> - <% $all_comment{$pkgpart} |h %></TD>
     </TR>
 % } 
 
@@ -82,7 +79,7 @@ Order new packages
       <INPUT TYPE="text" NAME="<% "pkg$pkgpart" %>" VALUE="<% $value %>" SIZE="2" MAXLENGTH="2">
     </TD>
     <TD ALIGN="right"><% $pkgpart %>:</TD>
-    <TD><% $pkg{$pkgpart} %> - <% $comment{$pkgpart}%></TD>
+    <TD><% $pkg{$pkgpart} |h %> - <% $comment{$pkgpart} |h %></TD>
   </TR>
 %
 %  $count ++ ;
@@ -131,10 +128,10 @@ my %all_comment = ();
 #}
 foreach (qsearch('part_pkg', {} )) {
   $all_pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
-  $all_comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
+  $all_comment{ $_ -> getfield('pkgpart') } = $_->custom_comment;
   next if $_->disabled;
   $pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
-  $comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
+  $comment{ $_ -> getfield('pkgpart') } = $_->custom_comment;
 }
 
 my($custnum, %remove_pkg);
@@ -151,4 +148,3 @@ if ( $cgi->param('error') ) {
 my $p1 = popurl(1);
 
 </%init>
-