RT# 74666 - fixed vulnerability by escaping quotation_description var

[freeside.git] / httemplate / view / quotation.html

diff --git a/httemplate/view/quotation.html b/httemplate/view/quotation.html
index aba1f0a..d4d79d7 100755 (executable)
--- a/httemplate/view/quotation.html
+++ b/httemplate/view/quotation.html
@@ -2,7 +2,7 @@
 <& /elements/header-cust_main.html, view=>'quotations', custnum=>$quotation->custnum &>
 <h2>Quotation #<% $quotationnum %>
 % if ($quotation->quotation_description) {
-(<% $quotation->quotation_description %>)  
+(<% $quotation->quotation_description |h %>)  
 % } 
 </h2>
 % } else { #eventually, header-prospect_main.html