projects
/
freeside.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
allow punctuation in tax name on tax report, #33255
[freeside.git]
/
httemplate
/
search
/
report_tax.cgi
diff --git
a/httemplate/search/report_tax.cgi
b/httemplate/search/report_tax.cgi
index
83f2fc5
..
491cd42
100644
(file)
--- a/
httemplate/search/report_tax.cgi
+++ b/
httemplate/search/report_tax.cgi
@@
-151,7
+151,7
@@
TD.rowhead { font-weight: bold; text-align: left; padding: 0px 3px }
<% emt('Out of taxable region') %>
</TD>
<TD STYLE="text-align: right">
<% emt('Out of taxable region') %>
</TD>
<TD STYLE="text-align: right">
- <A HREF="<% $saleslink %>;out=1;taxname=<%
$params{taxname}
%>">
+ <A HREF="<% $saleslink %>;out=1;taxname=<%
encode_entities($params{'taxname'})
%>">
<% $money_sprintf->( $report->{outside } ) %>
</A>
</TD>
<% $money_sprintf->( $report->{outside } ) %>
</A>
</TD>
@@
-188,8
+188,9
@@
if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
$agentname = $agent->agentname;
}
$agentname = $agent->agentname;
}
-if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) {
- $params{taxname} = $1;
+# allow anything in here; FS::Report::Tax will treat it as unsafe
+if ( length($cgi->param('taxname')) ) {
+ $params{taxname} = $cgi->param('taxname');
} else {
die "taxname required";
}
} else {
die "taxname required";
}