scalar cgi param

[freeside.git] / httemplate / misc / process / timeworked.html

diff --git a/httemplate/misc/process/timeworked.html b/httemplate/misc/process/timeworked.html
index c589d76..aaccf05 100644 (file)
--- a/httemplate/misc/process/timeworked.html
+++ b/httemplate/misc/process/timeworked.html
@@ -1,19 +1,24 @@
 % if ($error) {
 <% $cgi->redirect(popurl(2). "timeworked.html?". $cgi->query_string) %>
 % } else {
-<% $cgi->redirect(popurl(3). "search/timeworked.html") %>
+<% $cgi->redirect(popurl(3). "search/timeworked.html?begin=$begin;end=$end;category=$category") %>
 % }
 <%init>
 
 die "access denied"
   unless $FS::CurrentUser::CurrentUser->access_right('Time queue');
 
+my($begin, $end) = FS::UI::Web::parse_beginning_ending($cgi);
+
+( my $category = $cgi->param('category') ) =~ /^\w*$/
+  or die 'illegal category';#no need for nice error messages for XSS, just avoid
+
 my @acct_rt_transaction;
 foreach my $transaction (
   map { /^transactionid(\d+)$/; $1; } grep /^transactionid\d+$/, $cgi->param
 ) {
   my $s = "multiplier${transaction}_";
-  my %multipliers = map { /^$s(\d+)$/; $1 => $cgi->param("$s$1"); }
+  my %multipliers = map { /^$s(\d+)$/; $1 => scalar($cgi->param("$s$1")); }
                       grep /^$s\d+$/, $cgi->param;
   my $msum = 0;
   foreach(values %multipliers) {$msum += $_};
@@ -45,7 +50,7 @@ foreach my $transaction (
       'custnum'        => $customer,
       'transaction_id' => $transaction,
       'seconds'        => $seconds{$customer},
-      'support'        => $seconds{$customer} * $msum,
+      'support'        => int( $seconds{$customer} * $msum ),
     };
   }