fix XSS

author Ivan Kohler <ivan@freeside.biz>

Mon, 12 Nov 2012 06:18:50 +0000 (22:18 -0800)

committer Ivan Kohler <ivan@freeside.biz>

Mon, 12 Nov 2012 06:18:50 +0000 (22:18 -0800)
author Ivan Kohler <ivan@freeside.biz>
Mon, 12 Nov 2012 06:18:50 +0000 (22:18 -0800)
committer Ivan Kohler <ivan@freeside.biz>
Mon, 12 Nov 2012 06:18:50 +0000 (22:18 -0800)
diff --git a/FS/FS/UI/Web/small_custview.pm b/FS/FS/UI/Web/small_custview.pm

index 43d7613..e4b5421 100644 (file)
--- a/FS/FS/UI/Web/small_custview.pm
+++ b/FS/FS/UI/Web/small_custview.pm
@@ -88,7 +88,7 @@ sub small_custview {
    $html .= '<TD VALIGN="top">'. ntable("#cccccc",2).
      '<TR><TD ALIGN="right" VALIGN="top">Service<BR>Address</TD><TD BGCOLOR="#ffffff">';
    $html .= join('<BR>', 
-    grep $_,
+    map encode_entities($_), grep $_,
        $cust_main->contact,
        $cust_main->company,
        $ship->address1,
diff --git a/httemplate/elements/location.html b/httemplate/elements/location.html

index de844e4..0f84453 100644 (file)
--- a/httemplate/elements/location.html
+++ b/httemplate/elements/location.html
@@ -214,7 +214,7 @@ Example:
    <TD COLSPAN=8>
      <INPUT TYPE="text" SIZE=15
             NAME="enter_censustract" 
-           VALUE="<% $object->censustract %>">
+           VALUE="<% $object->censustract |h %>">
      <% '(automatic)' %>
    </TD>
  </TR>
@@ -226,7 +226,7 @@ Example:
      <TD COLSPAN=8>
        <INPUT TYPE="text" SIZE=15
               NAME="<%$pre%>district" 
-             VALUE="<% $object->district %>">
+             VALUE="<% $object->district |h %>">
      <% '(automatic)' %>
      </TD>
    </TR>
author	Ivan Kohler <ivan@freeside.biz>
	Mon, 12 Nov 2012 06:18:50 +0000 (22:18 -0800)
committer	Ivan Kohler <ivan@freeside.biz>
	Mon, 12 Nov 2012 06:18:50 +0000 (22:18 -0800)
FS/FS/UI/Web/small_custview.pm		patch \| blob \| history
httemplate/elements/location.html		patch \| blob \| history