From f06a0610477b0ba8e1931722c3105b880fbc35c3 Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Sun, 11 Nov 2012 22:18:50 -0800
Subject: [PATCH] fix XSS

---
 FS/FS/UI/Web/small_custview.pm    | 2 +-
 httemplate/elements/location.html | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/FS/FS/UI/Web/small_custview.pm b/FS/FS/UI/Web/small_custview.pm
index 43d76130f..e4b5421a2 100644
--- a/FS/FS/UI/Web/small_custview.pm
+++ b/FS/FS/UI/Web/small_custview.pm
@@ -88,7 +88,7 @@ sub small_custview {
   $html .= '<TD VALIGN="top">'. ntable("#cccccc",2).
     '<TR><TD ALIGN="right" VALIGN="top">Service<BR>Address</TD><TD BGCOLOR="#ffffff">';
   $html .= join('<BR>', 
-    grep $_,
+    map encode_entities($_), grep $_,
       $cust_main->contact,
       $cust_main->company,
       $ship->address1,
diff --git a/httemplate/elements/location.html b/httemplate/elements/location.html
index de844e465..0f844531d 100644
--- a/httemplate/elements/location.html
+++ b/httemplate/elements/location.html
@@ -214,7 +214,7 @@ Example:
   <TD COLSPAN=8>
     <INPUT TYPE="text" SIZE=15
            NAME="enter_censustract" 
-           VALUE="<% $object->censustract %>">
+           VALUE="<% $object->censustract |h %>">
     <% '(automatic)' %>
   </TD>
 </TR>
@@ -226,7 +226,7 @@ Example:
     <TD COLSPAN=8>
       <INPUT TYPE="text" SIZE=15
              NAME="<%$pre%>district" 
-             VALUE="<% $object->district %>">
+             VALUE="<% $object->district |h %>">
     <% '(automatic)' %>
     </TD>
   </TR>
-- 
2.11.0