projects
/
freeside.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
12ac7af
)
self-xss, RT#81757
author
Ivan Kohler
<ivan@freeside.biz>
Mon, 19 Nov 2018 22:43:12 +0000
(14:43 -0800)
committer
Ivan Kohler
<ivan@freeside.biz>
Mon, 19 Nov 2018 22:43:12 +0000
(14:43 -0800)
fs_selfservice/FS-SelfService/cgi/contact.html
patch
|
blob
|
history
diff --git
a/fs_selfservice/FS-SelfService/cgi/contact.html
b/fs_selfservice/FS-SelfService/cgi/contact.html
index
20c15df
..
7ae0d48
100644
(file)
--- a/
fs_selfservice/FS-SelfService/cgi/contact.html
+++ b/
fs_selfservice/FS-SelfService/cgi/contact.html
@@
-3,22
+3,22
@@
<TR>
<TH ALIGN="right"><%=$r%>Contact name<BR>(last, first)</TH>
<TD COLSPAN=5>
<TR>
<TH ALIGN="right"><%=$r%>Contact name<BR>(last, first)</TH>
<TD COLSPAN=5>
- <INPUT TYPE="text" NAME="<%=$pre%>last" VALUE="<%=
${$pre.'last'}
%>" onChange="<%= $onchange %>" <%=$disabled%>> ,
- <INPUT TYPE="text" NAME="<%=$pre%>first" VALUE="<%=
${$pre.'first'}
%>" onChange="<%= $onchange %>" <%=$disabled%>>
+ <INPUT TYPE="text" NAME="<%=$pre%>last" VALUE="<%=
encode_entities(${$pre.'last'})
%>" onChange="<%= $onchange %>" <%=$disabled%>> ,
+ <INPUT TYPE="text" NAME="<%=$pre%>first" VALUE="<%=
encode_entities(${$pre.'first'})
%>" onChange="<%= $onchange %>" <%=$disabled%>>
</TD>
</TR>
<TR>
<TD ALIGN="right">Company</TD>
<TD COLSPAN=7>
</TD>
</TR>
<TR>
<TD ALIGN="right">Company</TD>
<TD COLSPAN=7>
- <INPUT TYPE="text" NAME="<%=$pre%>company" VALUE="<%=
${$pre.'company'}
%>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>>
+ <INPUT TYPE="text" NAME="<%=$pre%>company" VALUE="<%=
encode_entities(${$pre.'company'})
%>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>>
</TD>
</TR>
<TR>
<TH ALIGN="right"><%=$r%>Address</TH>
<TD COLSPAN=7>
</TD>
</TR>
<TR>
<TH ALIGN="right"><%=$r%>Address</TH>
<TD COLSPAN=7>
- <INPUT TYPE="text" NAME="<%=$pre%>address1" VALUE="<%=
${$pre.'address1'}
%>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>>
+ <INPUT TYPE="text" NAME="<%=$pre%>address1" VALUE="<%=
encode_entities(${$pre.'address1'})
%>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>>
</TD>
</TR>
</TD>
</TR>
@@
-37,14
+37,14
@@
%>
</TD>
<TD COLSPAN=7>
%>
</TD>
<TD COLSPAN=7>
- <INPUT TYPE="text" NAME="<%=$pre%>address2" VALUE="<%=
${$pre.'address2'}
%>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>>
+ <INPUT TYPE="text" NAME="<%=$pre%>address2" VALUE="<%=
encode_entities(${$pre.'address2'})
%>" SIZE=70 onChange="<%= $onchange %>" <%=$disabled%>>
</TD>
</TR>
<TR>
<TH ALIGN="right"><%=$r%>City</TH>
<TD>
</TD>
</TR>
<TR>
<TH ALIGN="right"><%=$r%>City</TH>
<TD>
- <INPUT TYPE="text" ID="<%=$pre%>city" NAME="<%=$pre%>city" VALUE="<%=
${$pre.'city'}
%>" onChange="<%= $onchange %>" <%=$disabled%>>
+ <INPUT TYPE="text" ID="<%=$pre%>city" NAME="<%=$pre%>city" VALUE="<%=
encode_entities(${$pre.'city'})
%>" onChange="<%= $onchange %>" <%=$disabled%>>
</TD>
<%=
($county_html, $state_html, $country_html) =
</TD>
<%=
($county_html, $state_html, $country_html) =