From: Mitch Jackson <mitch@freeside.biz>
Date: Sat, 27 Oct 2018 17:01:54 +0000 (-0400)
Subject: RT# 31964 Fix XSS
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=0d13c4c4823794e26725303bc730d7f7d59ef4fb

RT# 31964 Fix XSS
---

diff --git a/httemplate/view/prospect_main.html b/httemplate/view/prospect_main.html
index 504a5a8ec..d6bcbe7ad 100644
--- a/httemplate/view/prospect_main.html
+++ b/httemplate/view/prospect_main.html
@@ -24,18 +24,18 @@
 % foreach my $prospect_contact ( $prospect_main->prospect_contact ) {
 %   my $contact = $prospect_contact->contact;
     <TR>
-      <TH ALIGN="right" VALIGN="top"><% $prospect_contact->contact_classname %> Contact</TH>
+      <TH ALIGN="right" VALIGN="top"><% $prospect_contact->contact_classname |h %> Contact</TH>
       <TD BGCOLOR="#FFFFFF">
-          <% $contact->line %><br>
+          <% $contact->line |h %><br>
           <table>
 %         for my $row ( $contact->contact_email ) {
-            <tr><th>E-Mail:</th><td><% $row->emailaddress %></td></tr>
+            <tr><th>E-Mail:</th><td><% $row->emailaddress |h %></td></tr>
 %         }
 %         for my $row ( $contact->contact_phone ) {
-            <tr><th><% $row->phone_type->typename %>:</th><td><% $row->phonenum_pretty %></td></tr>
+            <tr><th><% $row->phone_type->typename |h %>:</th><td><% $row->phonenum_pretty |h %></td></tr>
 %         }
 %         if ( $prospect_contact->comment ) {
-            <tr><th>Comment:</th><td><% $prospect_contact->comment %></td></tr>
+            <tr><th>Comment:</th><td><% $prospect_contact->comment |h %></td></tr>
 %         }
           </table>
       </TD>

E-Mail:	<% $row->emailaddress %>
E-Mail:	<% $row->emailaddress \|h %>
<% $row->phone_type->typename %>:	<% $row->phonenum_pretty %>
<% $row->phone_type->typename \|h %>:	<% $row->phonenum_pretty \|h %>
Comment:	<% $prospect_contact->comment %>
Comment:	<% $prospect_contact->comment \|h %>