projects / freeside.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Encode prepaid_shortform input to prevent XSS
[freeside.git] / fs_selfservice / FS-SelfService / cgi / signup.html
diff --git a/fs_selfservice/FS-SelfService/cgi/signup.html b/fs_selfservice/FS-SelfService/cgi/signup.html
index 8204f55..4ac6777 100755 (executable)
--- a/fs_selfservice/FS-SelfService/cgi/signup.html
+++ b/fs_selfservice/FS-SelfService/cgi/signup.html
@@ -5,7 +5,12 @@
   <%= $head %>
 </HEAD>
 <BODY BGCOLOR="<%= $body_bgcolor || '#e8e8e8' %>" onUnload="myclose()">
-
+<%= if ( $terms_of_service =~ /\S/ ) { # enable overlib
+  $OUT .= qq!<SCRIPT type="text/javascript" src="$_.js"></SCRIPT>\n!
+    foreach (qw(overlibmws overlibmws_iframe overlibmws_draggable 
+                overlibmws_crossframe iframecontentmws ));
+}
+%>
 <script type="text/javascript">
   var mywindow = -1;
   function myopen(filename,windowname,properties) {
@@ -25,10 +30,10 @@
          ' Signup form</FONT><BR><BR>';
 %>
 
-<FONT SIZE="+1" COLOR="#ff0000"><%= $error %></FONT>
+<FONT SIZE="+1" COLOR="#ff0000"><%= encode_entities($error) %></FONT>
 
 <FORM NAME="OneTrueForm" ACTION="<%= $self_url %>" METHOD=POST onSubmit="document.OneTrueForm.signup.disabled=true">
-<INPUT TYPE="hidden" NAME="prepaid_shortform" VALUE="<%= $prepaid_shortform %>">
+<INPUT TYPE="hidden" NAME="prepaid_shortform" VALUE="<%= encode_entities($prepaid_shortform) %>">
 <INPUT TYPE="hidden" NAME="session" VALUE="<%= $session_id %>">
 <INPUT TYPE="hidden" NAME="action" VALUE="process_signup">
 <INPUT TYPE="hidden" NAME="agentnum" VALUE="<%= $agentnum %>">
@@ -144,6 +149,7 @@ $OUT .= qq!
 else {
     @payby = ('PREPAY');
 }
+'';
 %>
 
 <BR>Billing information<TABLE BGCOLOR="<%= $box_bgcolor || '#c0c0c0' %>" BORDER=0 CELLSPACING=0 WIDTH="100%">
@@ -387,9 +393,32 @@ if ( @optional_packages ) {
 $OUT = ''
 }
 %>
-
-<BR><INPUT TYPE="submit" NAME="signup" VALUE="Signup">
-<script language="JavaScript">
+<%=
+  if ( $terms_of_service =~ /\S/ ) {
+    my $title = 'Terms of Service'; #config?
+    my $onclick = qq[overlib( terms_content, CAPTION, "$title", STICKY, AUTOSTATUSCAP, MIDX, 0, MIDY, 0, DRAGGABLE, CLOSECLICK, CLOSETEXT, "Close" );];
+    # Container for $terms_of_service to avoid nasty escaping.
+    $OUT .= qq[
+<BR>
+<DIV id="div_terms" style="display:none">$terms_of_service</DIV>
+<SCRIPT type="text/javascript">
+function agree_to_terms (val) {
+  document.getElementById("signup").disabled = !val;
+}
+function show_terms () {
+  overlib( document.getElementById('div_terms').innerHTML,
+    CAPTION, '$title', STICKY, AUTOSTATUSCAP, MIDX, 0, MIDY, 0, DRAGGABLE,
+    CLOSECLICK, CLOSETEXT, 'Close' );
+}
+</SCRIPT>
+<INPUT TYPE="checkbox" onchange="agree_to_terms(this.checked)">&nbsp;
+I agree to the <a href="javascript:void(0);" onclick="show_terms();">Terms of Service</a>.
+];
+  }
+%>
+<BR><INPUT TYPE="submit" ID="signup" NAME="signup" VALUE="Signup">
+<script language="javascript">
+<%= length($terms_of_service) ? 'agree_to_terms(false)' : '' %>
 
 function fixup_form() {
     
Freeside billing, trouble ticketing, network monitoring and provisioning