% # construct base links that limit to the tax rates described by this row
% my $rowlink = ';taxnum=' . $row->{taxnums};
% # and also the package class, if we're limiting package class
-% $rowlink .= ';pkgclass='.$row->{pkgclass}
-% if $params{breakdown}->{pkgclass};
+% if ( $params{breakdown}->{pkgclass} ) {
+% $rowlink .= ';classnum=' . ($row->{pkgclass} || 0);
+% }
%
% if ( $row->{total} ) {
</TBODY><TBODY CLASS="total">
<% emt('Out of taxable region') %>
</TD>
<TD STYLE="text-align: right">
- <A HREF="<% $saleslink %>;out=1;taxname=<% $params{taxname} %>">
+ <A HREF="<% $saleslink %>;out=1;taxname=<% encode_entities($params{'taxname'}) %>">
<% $money_sprintf->( $report->{outside } ) %>
</A>
</TD>
$agentname = $agent->agentname;
}
-if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) {
- $params{taxname} = $1;
+# allow anything in here; FS::Report::Tax will treat it as unsafe
+if ( length($cgi->param('taxname')) ) {
+ $params{taxname} = $cgi->param('taxname');
} else {
die "taxname required";
}
};
my $dateagentlink = "begin=$beginning;end=$ending";
-$dateagentlink .= $params{agentnum} if $params{agentnum};
+if ( $params{agentnum} ) {
+ $dateagentlink .= ';agentnum=' . $params{agentnum};
+}
my $saleslink = $p. "search/cust_bill_pkg.cgi?$dateagentlink;nottax=1";
my $taxlink = $p. "search/cust_bill_pkg.cgi?$dateagentlink;istax=1";
my $exemptlink = $p. "search/cust_tax_exempt_pkg.cgi?$dateagentlink";