use strict;
use vars qw($DEBUG @ISA @EXPORT_OK $me);
use Exporter;
-use Carp qw( confess );;
+use Carp qw( confess );
+use HTML::Entities;
use FS::Conf;
use FS::Misc::DateTime qw( parse_datetime );
use FS::Record qw(dbdef);
map {
if ( $record->custnum ) {
warn " $record -> $_" if $DEBUG > 1;
- $record->$_(@_);
+ encode_entities( $record->$_(@_) );
} else {
warn " ($record unlinked)" if $DEBUG > 1;
$seen_unlinked++ ? '' : '(unlinked)';
my $onclick = include('/elements/popup_link_onclick.html',
action => $p.'view/part_event-targets.html?eventpart='.
$part_event->eventpart,
- actionlabel => 'Event query - '.$part_event->event,
+ actionlabel => 'Event query', #no, XSS - '.$part_event->event,
width => 650,
height => 420,
close_text => 'Close',
[#rows
[#subcolumns
{
- 'data' => $part_event->event,
- 'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
+ 'data' => encode_entities($part_event->event),
+ 'link' => $p.'edit/part_event.html?'.$part_event->eventpart,
},
{
- 'data' => ' (query) ',
- 'size' => '-1',
- 'data_style' => 'b',
- 'onclick' => $onclick,
+ 'data' => ' (query) ',
+ 'size' => '-1',
+ 'data_style' => 'b',
+ 'onclick' => $onclick,
},
],
];
<TD>
<INPUT TYPE = "text"
NAME = "username"
- VALUE = "<% $opt{'username'} %>"
+ VALUE = "<% $opt{'username'} |h %>"
SIZE = <% $ulen2 %>
MAXLENGTH = <% $ulen %>
>
<TD>
<INPUT TYPE = "text"
NAME = "_password"
- VALUE = "<% $opt{'password'} %>"
+ VALUE = "<% $opt{'password'} |h %>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
% unless ( $opt{'password_verify'} ) {
<TD>
<INPUT TYPE = "text"
NAME = "_password2"
- VALUE = "<% $opt{'password2'} %>"
+ VALUE = "<% $opt{'password2'} |h %>"
SIZE = <% $pmax2 %>
MAXLENGTH = <% $passwordmax %>>
</TD>
% if ( $conf->exists('security_phrase') ) {
<TR>
<TD ALIGN="right"><% mt('Security Phrase') |h %></TD>
- <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} %>">
+ <TD><INPUT TYPE="text" NAME="sec_phrase" VALUE="<% $opt{'sec_phrase'} |h %>">
</TD>
</TR>
% } else {
% next unless $cust_main;
<TR>
- <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name %></A></TD>
+ <TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><A HREF="view/cust_main.cgi?<% $custnum %>"><% $cust_main->display_custnum %>: <% $cust_main->name |h %></A></TD>
</TR>
% if ( $bgcolor eq $bgcolor1 ) {
% my $refcustlabel = "$referral_custnum: " .
% ( $cust_main->company || $cust_main->last. ', '. $cust_main->first );
referrals of
- <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel %></A>
+ <A HREF="<% popurl(2)."view/cust_main.cgi?$referral_custnum" %>"><% $refcustlabel |h %></A>
<SELECT NAME="referral_depth" SIZE="1" onChange="changed(this)">';
% my $max = 8;
% $view = $p. 'view/cust_main.cgi?'. $custnum;
% }
% my $pcompany = $company
-% ? qq!<A HREF="$view"><FONT SIZE=-1>$company</FONT></A>!
+% ? qq!<A HREF="$view"><FONT SIZE=-1>!. encode_entities($company). '</FONT></A>'
% : '<FONT SIZE=-1> </FONT>';
%
% my $status = $cust_main->status;
<FONT SIZE="-1" COLOR="#<% $statuscol %>"><B><% ucfirst($status) %></B></FONT>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
- <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" %></FONT></A>
+ <A HREF="<% $view %>"><FONT SIZE=-1><% "$last, $first" |h %></FONT></A>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>" ROWSPAN=<% $rowspan %>>
<% $pcompany %>
% $_ =~ /^\d+$/ ) {
% # for the 'straight SQL' case: specify fields
% # by position
-% $row->[$_];
+% encode_entities($row->[$_]);
% } else {
-% $row->$_();
+% encode_entities($row->$_());
% }
% }
% @{$opt{'fields'}}