xss

author Ivan Kohler <ivan@freeside.biz>

Tue, 7 Mar 2017 04:15:28 +0000 (20:15 -0800)

committer Ivan Kohler <ivan@freeside.biz>

Tue, 7 Mar 2017 04:15:28 +0000 (20:15 -0800)
author Ivan Kohler <ivan@freeside.biz>
Tue, 7 Mar 2017 04:15:28 +0000 (20:15 -0800)
committer Ivan Kohler <ivan@freeside.biz>
Tue, 7 Mar 2017 04:15:28 +0000 (20:15 -0800)
diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html

index b228b72..981d0e6 100644 (file)
--- a/httemplate/misc/email-customers.html
+++ b/httemplate/misc/email-customers.html
@@ -67,8 +67,8 @@ from/subject/body cgi params
      <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% $msg_template->msgnum %>">
  %   # kludge these through hidden inputs because they're not really part
  %   # of the template, but should be sticky during draft editing
-    <INPUT TYPE="hidden" NAME="from_name" VALUE="<% $cgi->param('from_name') %>">
-    <INPUT TYPE="hidden" NAME="from_addr" VALUE="<% $cgi->param('from_addr') %>">
+    <INPUT TYPE="hidden" NAME="from_name" VALUE="<% scalar($cgi->param('from_name')) |h %>">
+    <INPUT TYPE="hidden" NAME="from_addr" VALUE="<% scalar($cgi->param('from_addr')) |h %>">
  
  %   if ( !$msg_template->disabled ) {
        <& /elements/tr-td-label.html, 'label' => 'Template:' &>
author	Ivan Kohler <ivan@freeside.biz>
	Tue, 7 Mar 2017 04:15:28 +0000 (20:15 -0800)
committer	Ivan Kohler <ivan@freeside.biz>
	Tue, 7 Mar 2017 04:15:28 +0000 (20:15 -0800)