RT# 74666 - fixed vulnerability by escaping quotation_description var

author Christopher Burger <burgerc@freeside.biz>

Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)

committer Christopher Burger <burgerc@freeside.biz>

Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)
author Christopher Burger <burgerc@freeside.biz>
Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)
committer Christopher Burger <burgerc@freeside.biz>
Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)
diff --git a/httemplate/view/quotation.html b/httemplate/view/quotation.html

index aba1f0a..d4d79d7 100755 (executable)
--- a/httemplate/view/quotation.html
+++ b/httemplate/view/quotation.html
@@ -2,7 +2,7 @@
  <& /elements/header-cust_main.html, view=>'quotations', custnum=>$quotation->custnum &>
  <h2>Quotation #<% $quotationnum %>
  % if ($quotation->quotation_description) {
-(<% $quotation->quotation_description %>)  
+(<% $quotation->quotation_description |h %>)  
  % } 
  </h2>
  % } else { #eventually, header-prospect_main.html
author	Christopher Burger <burgerc@freeside.biz>
	Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)
committer	Christopher Burger <burgerc@freeside.biz>
	Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)