From: Ivan Kohler <ivan@freeside.biz>
Date: Mon, 25 Apr 2016 18:02:36 +0000 (-0700)
Subject: xss
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=c72a0848224b544426eddec7c63186a5de04280e

xss
---

diff --git a/httemplate/view/cust_main.cgi b/httemplate/view/cust_main.cgi
index 3cd7d2bb3..fac126f92 100755
--- a/httemplate/view/cust_main.cgi
+++ b/httemplate/view/cust_main.cgi
@@ -225,16 +225,19 @@ my $cust_main = qsearchs( {
 });
 die "Customer not found!" unless $cust_main;
 
-my $title = mt("Customer").' #'. $cust_main->display_custnum. ': '.
-            encode_entities($cust_main->name);
+my $title = mt("Customer").' #'. $cust_main->display_custnum. ': ';
+my $title_noescape = $title. encode_entities($cust_main->name);
+$title .= $cust_main->name;
 
 if ( $curuser->num_agents ) {
-  $title = encode_entities($cust_main->agent->agent). " $title";
+  $title_noescape =
+    encode_entities($cust_main->agent->agent). " $title_noescape";
+  $title = $cust_main->agent->agent. " $title";
 }
 
 my $status = $cust_main->status_label;
 $status .= ' (Cancelled)' if $cust_main->is_status_delay_cancel;
-my $title_noescape = $title. ' (<B><FONT COLOR="#'. $cust_main->statuscolor. '">'. $status.  '</FONT></B>)';
+$title_noescape .= ' (<B><FONT COLOR="#'. $cust_main->statuscolor. '">'. $status.  '</FONT></B>)';
 $title .= " ($status)";
 
 #false laziness w/pref/pref.html and Conf.pm (cust_main-default_view)