From 3b236eac5f7926f18623f6b9dc7c6f0d350ab61c Mon Sep 17 00:00:00 2001
From: Mitch Jackson <mitch@freeside.biz>
Date: Sun, 26 Aug 2018 17:07:46 -0400
Subject: [PATCH] RT# 80869 Harden process payment screen against Edge browser
 bug

---
 httemplate/elements/city.html              |  4 ++--
 httemplate/elements/select-country.html    | 10 ++++------
 httemplate/elements/select-month_year.html |  5 ++---
 httemplate/elements/select-state.html      |  7 ++-----
 httemplate/elements/select-table.html      |  8 ++++----
 httemplate/misc/payment.cgi                |  8 +++-----
 httemplate/misc/process/payment.cgi        |  4 ++--
 7 files changed, 19 insertions(+), 27 deletions(-)

diff --git a/httemplate/elements/city.html b/httemplate/elements/city.html
index 4e9a60940..05250fef5 100644
--- a/httemplate/elements/city.html
+++ b/httemplate/elements/city.html
@@ -132,14 +132,14 @@ function <% $pre %>county_changed(what, callback) {}
     >
 
 %   unless ( $opt{'disable_empty'} ) {
-      <OPTION VALUE="" <% $opt{city} eq '' ? 'SELECTED' : '' %>><% $opt{empty_label} %>
+      <OPTION VALUE="" <% $opt{city} eq '' ? 'SELECTED' : '' %>><% $opt{empty_label} %></OPTION>
 %   }
 
 %   foreach my $city ( @cities ) {
 
       <OPTION VALUE="<% $city |h %>"
               <% $city eq $opt{city} ? 'SELECTED' : '' %>
-      ><% $city eq $opt{empty_data_value} ? $opt{empty_data_label} : $city %>
+      ><% $city eq $opt{empty_data_value} ? $opt{empty_data_label} : $city %></OPTION>
 
 %   }
 
diff --git a/httemplate/elements/select-country.html b/httemplate/elements/select-country.html
index c98147907..286826752 100644
--- a/httemplate/elements/select-country.html
+++ b/httemplate/elements/select-country.html
@@ -91,15 +91,13 @@ Example:
 >
 
 % unless ( $opt{'disable_empty'} ) {
-    <OPTION VALUE=""><% $opt{'empty_label'} || '(all)' %>
+    <OPTION VALUE=""><% $opt{'empty_label'} || '(all)' %></OPTION>
 % }
 
 % foreach my $country ( @all_countries ) {
-
-  <OPTION VALUE="<% $country |h %>"
-          <% $country eq $opt{'country'} ? ' SELECTED' : '' %>
-  ><% FS::geocode_Mixin->code2country($country). " ($country)" %>
-
+  <OPTION VALUE="<% $country |h %>"<% $country eq $opt{'country'} ? ' SELECTED' : '' %>>
+    <% FS::geocode_Mixin->code2country($country). " ($country)" |h %>
+  </OPTION>
 % } 
 
 </SELECT>
diff --git a/httemplate/elements/select-month_year.html b/httemplate/elements/select-month_year.html
index ad84b915d..9091bae5d 100644
--- a/httemplate/elements/select-month_year.html
+++ b/httemplate/elements/select-month_year.html
@@ -3,16 +3,15 @@
 <% $empty ? '<OPTION VALUE="">' : '' %>
 % foreach ( 1 .. 12 ) { 
 
-   <OPTION<% $_ == $mon ? ' SELECTED' : '' %> VALUE="<% $_ %>"><% $mon[$_-1] %>
+   <OPTION<% $_ == $mon ? ' SELECTED' : '' %> VALUE="<% sprintf('%02d', $_) %>"><% $mon[$_-1] %></OPTION>
 % } 
 
-
 </SELECT>/<SELECT NAME="<% $prefix %>_year" SIZE="1" <% $disabled%>>
 
 <% $empty ? '<OPTION VALUE="">' : '' %>
 % for ( $start_year .. $end_year ) { 
 
-   <OPTION<% $_ == $year ? ' SELECTED' : '' %> VALUE="<% $_ %>"><% $_ %>
+   <OPTION<% $_ == $year ? ' SELECTED' : '' %> VALUE="<% $_ %>"><% $_ %></OPTION>
 % } 
 
 </SELECT>
diff --git a/httemplate/elements/select-state.html b/httemplate/elements/select-state.html
index 115a98d98..7606e2527 100644
--- a/httemplate/elements/select-state.html
+++ b/httemplate/elements/select-state.html
@@ -27,16 +27,13 @@ Example:
 >
 
 % unless ( $opt{'disable_empty'} ) {
-  <OPTION VALUE=""<% $opt{state} eq '' ? ' SELECTED' : '' %>><% $opt{empty_label} %>
+  <OPTION VALUE=""<% $opt{state} eq '' ? ' SELECTED' : '' %>><% $opt{empty_label} %></OPTION>
 % }
 
 % foreach my $state ( keys %states ) { 
-
-  <OPTION VALUE="<% $state |h %>"<% $state eq $opt{'state'} ? ' SELECTED' : '' %>><% $states{$state} || '(n/a)' |h %>
-
+  <OPTION VALUE="<% $state |h %>"<% $state eq $opt{'state'} ? ' SELECTED' : '' %>><% $states{$state} || '(n/a)' |h %></OPTION>
 % } 
 
-
 </SELECT>
 
 <%init>
diff --git a/httemplate/elements/select-table.html b/httemplate/elements/select-table.html
index 3f6c8805d..4ac0887fd 100644
--- a/httemplate/elements/select-table.html
+++ b/httemplate/elements/select-table.html
@@ -83,11 +83,11 @@ Example:
 %                   || ( $value eq $pre_opt );
     <OPTION VALUE="<% $pre_opt %>"
             <% $selected ? 'SELECTED' : '' %>
-    ><% $pre_label %>
+    ><% $pre_label %></OPTION>
 % } 
 
 % unless ( $opt{'multiple'} || $opt{'disable_empty'} ) {
-    <OPTION VALUE=""><% $opt{'empty_label'} || 'all' %>
+    <OPTION VALUE=""><% $opt{'empty_label'} || 'all' %></OPTION>
 % }
 
 % # XXX fix this eventually, when we have time to test it
@@ -117,7 +117,7 @@ Example:
           ? &{ $opt{'label_callback'} }( $record )
           : $record->$name_col()
         |h
-     %>
+     %></OPTION>
 % } 
 
 % while ( @post_options ) { 
@@ -127,7 +127,7 @@ Example:
 %                  || ( $value eq $post_opt );
     <OPTION VALUE="<% $post_opt %>"
             <% $selected ? 'SELECTED' : '' %>
-    ><% $post_label %>
+    ><% $post_label %></OPTION>
 % } 
 
 </SELECT>
diff --git a/httemplate/misc/payment.cgi b/httemplate/misc/payment.cgi
index 44904fba6..9e530cf0a 100644
--- a/httemplate/misc/payment.cgi
+++ b/httemplate/misc/payment.cgi
@@ -59,9 +59,8 @@
             <TH><% mt('Exp.') |h %></TH>
             <TD>
               <SELECT NAME="month">
-% for ( ( map "0$_", 1 .. 9 ), 10 .. 12 ) { 
-
-                  <OPTION<% $_ == $month ? ' SELECTED' : '' %>><% $_ %>
+% for ( map{ sprintf('%02d',$_) } (1..12) ) {
+                  <OPTION VALUE="<% $_ %>"<% $_ == $month ? ' SELECTED' : '' %>><% $_ %></OPTION>
 % } 
 
               </SELECT>
@@ -70,8 +69,7 @@
             <TD>
               <SELECT NAME="year">
 % my @a = localtime; for ( $a[5]+1900 .. $a[5]+1915 ) { 
-
-                  <OPTION<% $_ == $year ? ' SELECTED' : '' %>><% $_ %>
+                  <OPTION VALUE="<% $_ %>"<% $_ == $year ? ' SELECTED' : '' %>><% $_ %></OPTION>
 % } 
 
               </SELECT>
diff --git a/httemplate/misc/process/payment.cgi b/httemplate/misc/process/payment.cgi
index 9458217c1..5f945a71a 100644
--- a/httemplate/misc/process/payment.cgi
+++ b/httemplate/misc/process/payment.cgi
@@ -42,11 +42,11 @@ if ( $cgi->param('fee') =~ /^\s*(\d*(\.\d\d)?)\s*$/ ) {
   $amount = sprintf('%.2f', $amount + $fee);
 }
 
-$cgi->param('year') =~ /^(\d+)$/
+$cgi->param('year') =~ /^(\d{4})/
   or errorpage("illegal year ". $cgi->param('year'));
 my $year = $1;
 
-$cgi->param('month') =~ /^(\d+)$/
+$cgi->param('month') =~ /^(\d{2})/
   or errorpage("illegal month ". $cgi->param('month'));
 my $month = $1;
 
-- 
2.11.0