fix XSS

diff --git a/FS/FS/UI/Web/small_custview.pm b/FS/FS/UI/Web/small_custview.pm
index c3d251c..0660038 100644 (file)
--- a/FS/FS/UI/Web/small_custview.pm
+++ b/FS/FS/UI/Web/small_custview.pm
@@ -89,14 +89,14 @@ sub small_custview {
 
     $html .= '<TD VALIGN="top">'. ntable("#cccccc",2).
       '<TR><TD ALIGN="right" VALIGN="top">Service<BR>Address</TD><TD BGCOLOR="#ffffff">'.
-      $cust_main->get("${pre}last"). ', '.
-      $cust_main->get("${pre}first"). '<BR>';
-    $html .= $cust_main->get("${pre}company"). '<BR>'
+      encode_entities($cust_main->get("${pre}last")). ', '.
+      encode_entities($cust_main->get("${pre}first")). '<BR>';
+    $html .= encode_entities($cust_main->get("${pre}company")). '<BR>'
       if $cust_main->get("${pre}company");
-    $html .= $cust_main->get("${pre}address1"). '<BR>';
-    $html .= $cust_main->get("${pre}address2"). '<BR>'
+    $html .= encode_entities($cust_main->get("${pre}address1")). '<BR>';
+    $html .= encode_entities($cust_main->get("${pre}address2")). '<BR>'
       if $cust_main->get("${pre}address2");
-    $html .= $cust_main->get("${pre}city"). ', '.
+    $html .= encode_entities($cust_main->get("${pre}city")). ', '.
              $cust_main->get("${pre}state"). '  '.
              $cust_main->get("${pre}zip"). '<BR>';
     $html .= $cust_main->get("${pre}country"). '<BR>'

diff --git a/httemplate/elements/location.html b/httemplate/elements/location.html
index c606523..a0c5644 100644 (file)
--- a/httemplate/elements/location.html
+++ b/httemplate/elements/location.html
@@ -214,7 +214,7 @@ Example:
     <TR>
       <<%$th%> ALIGN="right">Tax district<BR>(automatic)</<%$th%>>
       <TD>
-        <INPUT TYPE="text" NAME="district" VALUE="<%$object->get('district')%>">
+        <INPUT TYPE="text" NAME="district" VALUE="<% $object->get('district') |h %>">
       </TD>
     </TR>
 %   }