Encode prepaid_shortform input to prevent XSS

[freeside.git] / fs_selfservice / FS-SelfService / cgi / myaccount_menu.html

diff --git a/fs_selfservice/FS-SelfService/cgi/myaccount_menu.html b/fs_selfservice/FS-SelfService/cgi/myaccount_menu.html
index 9d33036..4a31b12 100644 (file)
--- a/fs_selfservice/FS-SelfService/cgi/myaccount_menu.html
+++ b/fs_selfservice/FS-SelfService/cgi/myaccount_menu.html
@@ -23,12 +23,12 @@ unless ( $access_pkgnum ) {
       url=>'customer_order_pkg', 'indent'=>2 };
 }
 
-if ( 1 ) { #XXXFIXME "enable selfservice prepay features" flag or something, eventually per-pkg or something really fancy
+if ( $balance > 0 ) { #XXXFIXME "enable selfservice prepay features" flag or something, eventually per-pkg or something really fancy
 
   #XXXFIXME still a bit sloppy for multi-gateway of differing namespace
   my $i = 0;
   while($i < scalar(@cust_paybys)) { last if $cust_paybys[$i] =~ /^CARD/; $i++ }
-  if ( $cust_paybys[$i] =~ /^CARD/ ) {
+  if ( $cust_paybys[$i] && $cust_paybys[$i] =~ /^CARD/ ) {
     push @menu, { title  => 'Recharge my account with a credit card',
                   url    => $hide_payment_fields[$i]
                               ? 'make_thirdparty_payment&payby_method=CC'
@@ -39,7 +39,7 @@ if ( 1 ) { #XXXFIXME "enable selfservice prepay features" flag or something, eve
 
   $i = 0;
   while($i < scalar(@cust_paybys)) { last if $cust_paybys[$i] =~ /^CHEK/; $i++ }
-  if ( $cust_paybys[$i] =~ /^CHEK/ ) {
+  if ( $cust_paybys[$i] && $cust_paybys[$i] =~ /^CHEK/ ) {
     push @menu, { title  => 'Recharge my account with a check',
                   url    => $hide_payment_fields[$i]
                               ? 'make_thirdparty_payment&payby_method=ECHECK'
@@ -59,6 +59,7 @@ if ( 1 ) { #XXXFIXME "enable selfservice prepay features" flag or something, eve
 push @menu,
   { title=>' ' },
   { title=>'View my usage', url=>'view_usage', size=>'+1', },
+  { title=>'Create a ticket', url=>'tktcreate', size=>'+1', },
 ;
 
 unless ( $access_pkgnum ) {
@@ -87,11 +88,13 @@ push @menu,
   { title=>'Logout',   url=>'logout', size=>'+1', },
 ;
 
+my %menu_disable = map { $_=>1 } @menu_disable;
 foreach my $item ( @menu ) {
 
-  next if $menu_skipblanks && $item->{'title'} =~ /^\s*$/;
-  next if $menu_skipheadings && ! $item->{'url'};
-
+  next if ( $menu_skipblanks && $item->{'title'} =~ /^\s*$/ )
+       || ( $menu_skipheadings && ! $item->{'url'} )
+       || $menu_disable{$item->{'title'}};
+  
   $OUT .= '<TR><TD'; 
   if ( $menu_body_image ) {
     if ( exists $item->{'url'} && $action eq $item->{'url'} ) {