From: Christopher Burger <burgerc@freeside.biz>
Date: Tue, 26 Feb 2019 16:06:33 +0000 (-0500)
Subject: RT# 82092 - updated escaping html to use encode-entities
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=83cad295d38b0c764b59b62bc4840dcf666b7de9

RT# 82092 - updated escaping html to use encode-entities

Conflicts:
	FS/FS/part_virtual_field.pm
---

diff --git a/FS/FS/part_virtual_field.pm b/FS/FS/part_virtual_field.pm
index 1df4984e1..e54dc9389 100755
--- a/FS/FS/part_virtual_field.pm
+++ b/FS/FS/part_virtual_field.pm
@@ -4,7 +4,7 @@ use strict;
 use vars qw( @ISA );
 use FS::Record;
 use FS::Schema qw( dbdef );
-use CGI qw(escapeHTML);
+use HTML::Entities;
 
 @ISA = qw( FS::Record );
 
@@ -92,14 +92,14 @@ sub widget {
 
   if ($ui_type eq 'HTML') {
     if ($mode eq 'view') {
-      $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . $label .
-              q!</!.$header_col_type.q!><TD BGCOLOR="#ffffff">! . $value .
+      $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . encode_entities($label) .
+              q!</!.$header_col_type.q!><TD BGCOLOR="#ffffff">! . encode_entities($value) .
               q!</TD></TR>! . "\n";
     } elsif ($mode eq 'edit') {
-      $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . $label .
+      $text = q!<TR><!.$header_col_type.q! ALIGN="right">! . encode_entities($label) .
               q!</!.$header_col_type.q!><TD>!;
         $text .= q!<INPUT TYPE=text NAME="! . $self->name .
-                q!" VALUE="! . escapeHTML($value) . q!"!;
+                q!" VALUE="! . encode_entities($value) . q!"!;
         if ($self->length) {
           $text .= q! SIZE="! . $self->length . q!"!;
         }
diff --git a/httemplate/browse/router.cgi b/httemplate/browse/router.cgi
index c7713f313..354111875 100644
--- a/httemplate/browse/router.cgi
+++ b/httemplate/browse/router.cgi
@@ -17,8 +17,6 @@
 %>
 <%init>
 
-use CGI qw(escapeHTML);
-
 die "access denied"
   unless $FS::CurrentUser::CurrentUser->access_right('Broadband configuration')
   || $FS::CurrentUser::CurrentUser->access_right('Broadband global configuration');
@@ -50,8 +48,8 @@ my @links = ( [ "${p2}edit/router.cgi?", 'routernum' ],
             );
 
 foreach (FS::router->virtual_fields_hash) {
-  push @header_fields, escapeHTML($_->{'label'});
-  push @fields, escapeHTML($_->{'name'});
+  push @header_fields, encode_entities($_->{'label'});
+  push @fields, encode_entities($_->{'name'});
   push @links, '';
 }
 
diff --git a/httemplate/edit/elements/part_svc_column.html b/httemplate/edit/elements/part_svc_column.html
index 80d325e59..1e1ff79ee 100644
--- a/httemplate/edit/elements/part_svc_column.html
+++ b/httemplate/edit/elements/part_svc_column.html
@@ -98,7 +98,7 @@ that field.
     <TD ROWSPAN=2 CLASS="grid">
       <INPUT NAME="<% $svcdb %>__<% $field %>_label"
              STYLE="text-align: right"
-             VALUE="<% $part_svc_column->columnlabel || escapeHTML($def->{'label'}) |h %>">
+             VALUE="<% $part_svc_column->columnlabel || $def->{'label'} |h %>">
     </TD>
 
     <TD ROWSPAN=1 CLASS="grid">