From: Ivan Kohler Date: Sun, 12 Jul 2015 06:46:49 +0000 (-0700) Subject: secure $cgi->param calls (and include to <& &>) X-Git-Url: http://git.freeside.biz/gitweb/?a=commitdiff_plain;h=ae2a98aa6d846caf5a2d597b0ff7c916ace24a6e;p=freeside.git secure $cgi->param calls (and include to <& &>) --- diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html index 57f451fdc..09ff93cca 100644 --- a/httemplate/misc/email-customers.html +++ b/httemplate/misc/email-customers.html @@ -51,13 +51,12 @@ should be used to set msgnum or from/subject/html_body cgi params Sending notice - <% include('/elements/progress-init.html', + <& /elements/progress-init.html, 'OneTrueForm', [ qw( search table from subject html_body text_body msgnum ) ], $process_url, $pdest, - ) - %> + &> % } elsif ( $cgi->param('action') eq 'preview' ) { @@ -68,7 +67,7 @@ should be used to set msgnum or from/subject/html_body cgi params % if ( $cgi->param('action') ) { - + % if ( $msg_template ) { <% include('/elements/tr-fixed.html', @@ -160,12 +159,11 @@ Template: 'size' => 20, &>> - <% include('/elements/tr-input-text.html', + <& /elements/tr-input-text.html, 'field' => 'subject', 'label' => 'Subject:', 'size' => 50, - ) - %> + &> @@ -193,7 +191,7 @@ Template: % } -<% include('/elements/footer.html') %> +<& /elements/footer.html &> <%init> @@ -222,7 +220,7 @@ $pdest->{'url'} = $cgi->param('url') if $url; my %search; if ( $cgi->param('search') ) { - %search = %{ thaw(decode_base64($cgi->param('search'))) }; + %search = %{ thaw(decode_base64( $cgi->param('search') )) }; } else { %search = $cgi->Vars; @@ -267,7 +265,7 @@ if ( $cgi->param('action') eq 'preview' ) { if ( $cgi->param('msgnum') ) { $msg_template = qsearchs('msg_template', - { msgnum => $cgi->param('msgnum') } ) + { msgnum => scalar($cgi->param('msgnum')) } ) or die "template not found: ".$cgi->param('msgnum'); $sql_query->{'extra_sql'} .= ' LIMIT 1'; $sql_query->{'select'} = "$table.*";
Message: