-<%
+<% $conf->config_binary("logo$templatename.png") %>
+<%init>
-##untaint invnum
-#my($query) = $cgi->keywords;
-#$query =~ /^((.+)-)?(\d+)$/;
-#my $templatename = $2;
-#my $invnum = $3;
-
-my $templatename = '';
+die "access denied"
+ unless $FS::CurrentUser::CurrentUser->access_right('View invoices');
my $conf = new FS::Conf;
-http_header('Content-Type' => 'image/png' );
+
+my($query) = $cgi->keywords;
+$query =~ /^([^\.\/]*)$/;
+my $templatename = $1;
+if ( $templatename && $conf->exists("logo_$templatename.png") ) {
+ $templatename = "_$templatename";
+} else {
+ $templatename = '';
+}
http_header('Content-Type' => 'image/png' );
-%><%= $conf->config_binary("logo$templatename.png") %>
+
+</%init>