don't redirect to a GET with sensitive data, RT#26099

[freeside.git] / httemplate / edit / process / cust_main.cgi

diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi
index 054973f..4fb8f62 100755 (executable)
--- a/httemplate/edit/process/cust_main.cgi
+++ b/httemplate/edit/process/cust_main.cgi
@@ -1,7 +1,7 @@
 % if ( $error ) {
 %   $cgi->param('error', $error);
-%
-<% $cgi->redirect(popurl(2). "cust_main.cgi?". $cgi->query_string ) %>
+%   my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1);
+<% $cgi->redirect(popurl(2). "cust_main.cgi?$query" ) %>
 %
 % } else { 
 %
@@ -83,10 +83,7 @@ for my $pre (qw(bill ship)) {
   }
   $hash{'custnum'} = $cgi->param('custnum');
   warn Dumper \%hash if $DEBUG;
-  # if we can qsearchs it, then it's unchanged, so use that
-  $locations{$pre} = qsearchs('cust_location', \%hash)
-                     || FS::cust_location->new( \%hash );
-
+  $locations{$pre} = FS::cust_location->new(\%hash);
 }
 
 if ( ($cgi->param('same') || '') eq 'Y' ) {
@@ -216,6 +213,7 @@ if ( $new->custnum eq '' or $duplicate_of ) {
       #later         'custnum' => $custnum,
       'pkgpart'     => $pkgpart,
       'locationnum' => scalar($cgi->param('locationnum')),
+      'salesnum'    => scalar($cgi->param('salesnum')),
     } );