projects
/
freeside.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
d2c621e
)
RT#6226: security fix for customer notes
author
mark
<mark>
Thu, 25 Mar 2010 01:37:19 +0000
(
01:37
+0000)
committer
mark
<mark>
Thu, 25 Mar 2010 01:37:19 +0000
(
01:37
+0000)
FS/FS/Mason.pm
patch
|
blob
|
history
httemplate/view/cust_main/notes.html
patch
|
blob
|
history
diff --git
a/FS/FS/Mason.pm
b/FS/FS/Mason.pm
index
be16bbb
..
4c8c808
100644
(file)
--- a/
FS/FS/Mason.pm
+++ b/
FS/FS/Mason.pm
@@
-70,6
+70,7
@@
if ( -e $addl_handler_use_file ) {
use HTML::Entities;
use HTML::TreeBuilder;
use HTML::FormatText;
use HTML::Entities;
use HTML::TreeBuilder;
use HTML::FormatText;
+ use HTML::Defang;
use JSON;
use MIME::Base64;
use IO::Handle;
use JSON;
use MIME::Base64;
use IO::Handle;
@@
-408,6
+409,8
@@
I<outbuf> should be set to a scalar reference in standalone mode.
=cut
=cut
+my %defang_opts = ( attribs_to_callback => ['src'], attribs_callback => sub { 1 });
+
sub mason_interps {
my $mode = shift || 'apache';
my %opt = @_;
sub mason_interps {
my $mode = shift || 'apache';
my %opt = @_;
@@
-451,6
+454,8
@@
sub mason_interps {
$interp{out_method} = $opt{outbuf} if $mode eq 'standalone' && $opt{outbuf};
$interp{out_method} = $opt{outbuf} if $mode eq 'standalone' && $opt{outbuf};
+ my $html_defang = new HTML::Defang (%defang_opts);
+
my $fs_interp = new HTML::Mason::Interp (
%interp,
escape_flags => { 'js_string' => sub {
my $fs_interp = new HTML::Mason::Interp (
%interp,
escape_flags => { 'js_string' => sub {
@@
-458,7
+463,10
@@
sub mason_interps {
${$_[0]} =~ s/(['\\])/\\$1/g;
${$_[0]} =~ s/\n/\\n/g;
${$_[0]} = "'". ${$_[0]}. "'";
${$_[0]} =~ s/(['\\])/\\$1/g;
${$_[0]} =~ s/\n/\\n/g;
${$_[0]} = "'". ${$_[0]}. "'";
- }
+ },
+ 'defang' => sub {
+ ${$_[0]} = $html_defang->defang(${$_[0]});
+ },
},
compiler => HTML::Mason::Compiler::ToObject->new(
allow_globals => [qw(%session)],
},
compiler => HTML::Mason::Compiler::ToObject->new(
allow_globals => [qw(%session)],
diff --git
a/httemplate/view/cust_main/notes.html
b/httemplate/view/cust_main/notes.html
index
a6378f4
..
a39610a
100755
(executable)
--- a/
httemplate/view/cust_main/notes.html
+++ b/
httemplate/view/cust_main/notes.html
@@
-53,7
+53,7
@@
<% $note->otaker%>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
<% $note->otaker%>
</TD>
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
- <%
$note->comments
%>
+ <%
$note->comments | defang
%>
</TD>
% if($edit) {
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><% $edit %></TD>
</TD>
% if($edit) {
<TD CLASS="grid" BGCOLOR="<% $bgcolor %>"><% $edit %></TD>
@@
-67,6
+67,8
@@
% }
<%init>
% }
<%init>
+use HTML::Defang;
+
my $conf = new FS::Conf;
my $curuser = $FS::CurrentUser::CurrentUser;
my $conf = new FS::Conf;
my $curuser = $FS::CurrentUser::CurrentUser;