projects
/
freeside.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
4abeb53
)
fix XSS
author
Ivan Kohler
<ivan@freeside.biz>
Mon, 12 Nov 2012 06:20:28 +0000
(22:20 -0800)
committer
Ivan Kohler
<ivan@freeside.biz>
Mon, 12 Nov 2012 06:20:28 +0000
(22:20 -0800)
FS/FS/UI/Web.pm
patch
|
blob
|
history
httemplate/browse/part_event.html
patch
|
blob
|
history
httemplate/edit/cust_main/first_pkg/svc_acct.html
patch
|
blob
|
history
httemplate/index.html
patch
|
blob
|
history
httemplate/search/cust_main.cgi
patch
|
blob
|
history
httemplate/search/elements/search-html.html
patch
|
blob
|
history
diff --git
a/FS/FS/UI/Web.pm
b/FS/FS/UI/Web.pm
index
1cc539a
..
c2ea0a6
100644
(file)
--- a/
FS/FS/UI/Web.pm
+++ b/
FS/FS/UI/Web.pm
@@
-3,7
+3,8
@@
package FS::UI::Web;
use strict;
use vars qw($DEBUG @ISA @EXPORT_OK $me);
use Exporter;
use strict;
use vars qw($DEBUG @ISA @EXPORT_OK $me);
use Exporter;
-use Carp qw( confess );;
+use Carp qw( confess );
+use HTML::Entities;
use FS::Conf;
use FS::Misc::DateTime qw( parse_datetime );
use FS::Record qw(dbdef);
use FS::Conf;
use FS::Misc::DateTime qw( parse_datetime );
use FS::Record qw(dbdef);
@@
-383,7
+384,7
@@
sub cust_fields {
map {
if ( $record->custnum ) {
warn " $record -> $_" if $DEBUG > 1;
map {
if ( $record->custnum ) {
warn " $record -> $_" if $DEBUG > 1;
-
$record->$_(@_
);
+
encode_entities( $record->$_(@_)
);
} else {
warn " ($record unlinked)" if $DEBUG > 1;
$seen_unlinked++ ? '' : '(unlinked)';
} else {
warn " ($record unlinked)" if $DEBUG > 1;
$seen_unlinked++ ? '' : '(unlinked)';
diff --git
a/httemplate/browse/part_event.html
b/httemplate/browse/part_event.html
index
c06a14f
..
62e7ff0
100644
(file)
--- a/
httemplate/browse/part_event.html
+++ b/
httemplate/browse/part_event.html
@@
-47,7
+47,7
@@
my $event_sub = sub {
my $onclick = include('/elements/popup_link_onclick.html',
action => $p.'view/part_event-targets.html?eventpart='.
$part_event->eventpart,
my $onclick = include('/elements/popup_link_onclick.html',
action => $p.'view/part_event-targets.html?eventpart='.
$part_event->eventpart,
- actionlabel => 'Event query - '.$part_event->event,
+ actionlabel => 'Event query
', #no, XSS
- '.$part_event->event,
width => 650,
height => 420,
close_text => 'Close',
width => 650,
height => 420,
close_text => 'Close',
@@
-55,14
+55,14
@@
my $event_sub = sub {
[#rows
[#subcolumns
{
[#rows
[#subcolumns
{
- 'data'
=> $part_event->event
,
- 'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
+ 'data'
=> encode_entities($part_event->event)
,
+ 'link'
=> $p.'edit/part_event.html?'.$part_event->eventpart,
},
{
},
{
- 'data'
=> '
(query) ',
- 'size' => '-1',
- 'data_style'
=> 'b',
- 'onclick' => $onclick,
+ 'data'
=> '
(query) ',
+ 'size'
=> '-1',
+ 'data_style' => 'b',
+ 'onclick'
=> $onclick,
},
],
];
},
],
];
diff --git
a/httemplate/edit/cust_main/first_pkg/svc_acct.html
b/httemplate/edit/cust_main/first_pkg/svc_acct.html
index
b1ccc13
..
717bf50
100644
(file)
--- a/
httemplate/edit/cust_main/first_pkg/svc_acct.html
+++ b/
httemplate/edit/cust_main/first_pkg/svc_acct.html
@@
-5,7
+5,7
@@
<TD>
<INPUT TYPE = "text"
NAME = "username"
<TD>
<INPUT TYPE = "text"
NAME = "username"
- VALUE = "<% $opt{'username'} %>"
+ VALUE = "<% $opt{'username'}
|h
%>"
SIZE = <% $ulen2 %>
MAXLENGTH = <% $ulen %>
>
SIZE = <% $ulen2 %>
MAXLENGTH = <% $ulen %>
>
@@
-26,7
+26,7
@@
<TD>
<INPUT TYPE = "text"
NAME = "_password"
<TD>
<INPUT TYPE = "text"
NAME = "_password"
- VALUE = "<% $opt{'password'} %>"
+ VALUE = "<% $opt{'password'}
|h
%>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
% unless ( $opt{'password_verify'} ) {
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
% unless ( $opt{'password_verify'} ) {
@@
-41,7
+41,7
@@
<TD>
<INPUT TYPE = "text"
NAME = "_password2"
<TD>
<INPUT TYPE = "text"
NAME = "_password2"
- VALUE = "<% $opt{'password2'} %>"
+ VALUE = "<% $opt{'password2'}
|h
%>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
</TD>
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
</TD>
@@
-51,7
+51,7
@@
% if ( $conf->exists('security_phrase') ) {
<TR>
<TD ALIGN="right"><% mt('Security Phrase') |h %></TD>
% if ( $conf->exists('security_phrase') ) {
<TR>
<TD ALIGN="right"><% mt('Security Phrase') |h %></TD>
- <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} %>">
+ <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'}
|h
%>">
</TD>
</TR>
% } else {
</TD>
</TR>
% } else {
diff --git
a/httemplate/index.html
b/httemplate/index.html
index
ae15096
..
299efdd
100644
(file)
--- a/
httemplate/index.html
+++ b/
httemplate/index.html
@@
-36,7
+36,7
@@
% next unless $cust_main;
<TR>
% next unless $cust_main;
<TR>
- <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name %></A></TD>
+ <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name
|h
%></A></TD>
</TR>
% if ( $bgcolor eq $bgcolor1 ) {
</TR>
% if ( $bgcolor eq $bgcolor1 ) {
diff --git
a/httemplate/search/cust_main.cgi
b/httemplate/search/cust_main.cgi
index
9d37d21
..
4504121
100755
(executable)
--- a/
httemplate/search/cust_main.cgi
+++ b/
httemplate/search/cust_main.cgi
@@
-54,7
+54,7
@@
% my $refcustlabel = "$referral_custnum: " .
% ( $cust_main->company || $cust_main->last. ', '. $cust_main->first );
referrals of
% my $refcustlabel = "$referral_custnum: " .
% ( $cust_main->company || $cust_main->last. ', '. $cust_main->first );
referrals of
- <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel %></A>
+ <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel
|h
%></A>
<SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">';
% my $max = 8;
<SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">';
% my $max = 8;
@@
-152,7
+152,7
@@
% $view = $p. 'view/cust_main.cgi?'. $custnum;
% }
% my $pcompany = $company
% $view = $p. 'view/cust_main.cgi?'. $custnum;
% }
% my $pcompany = $company
-% ? qq!<A HREF="$view"><FONT SIZE=-1>
$company</FONT></A>!
+% ? qq!<A HREF="$view"><FONT SIZE=-1>
!. encode_entities($company). '</FONT></A>'
% : '<FONT SIZE=-1> </FONT>';
%
% my $status = $cust_main->status;
% : '<FONT SIZE=-1> </FONT>';
%
% my $status = $cust_main->status;
@@
-166,7
+166,7
@@
<FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
<FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
- <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" %></FONT></A>
+ <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first"
|h
%></FONT></A>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
<% $pcompany %>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
<% $pcompany %>
diff --git
a/httemplate/search/elements/search-html.html
b/httemplate/search/elements/search-html.html
index
b66ee9d
..
2e36919
100644
(file)
--- a/
httemplate/search/elements/search-html.html
+++ b/
httemplate/search/elements/search-html.html
@@
-338,7
+338,7
@@
% if ( ref($_) eq 'CODE' ) {
% &{$_}($row);
% } else {
% if ( ref($_) eq 'CODE' ) {
% &{$_}($row);
% } else {
-%
$row->$_(
);
+%
encode_entities($row->$_()
);
% }
% }
% @{$opt{'fields'}}
% }
% }
% @{$opt{'fields'}}