From b3cc8eb7ebeda6877548ba0640f754cf36e099b4 Mon Sep 17 00:00:00 2001
From: Mitch Jackson <mitch@freeside.biz>
Date: Sat, 27 Oct 2018 12:05:19 -0400
Subject: [PATCH] RT# 79353 Fix XSS

---
 httemplate/search/cust_bill_pkg_discount.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/httemplate/search/cust_bill_pkg_discount.html b/httemplate/search/cust_bill_pkg_discount.html
index eb39dea8f..04cc828ad 100644
--- a/httemplate/search/cust_bill_pkg_discount.html
+++ b/httemplate/search/cust_bill_pkg_discount.html
@@ -39,8 +39,8 @@ Parameters:
             # Standard discount, not a waived setup fee
             my $discount = qsearchs('discount',{
                 discountnum => $_[0]->discountnum
-            });
-            return $discount->description;
+            }) || return 'Bad discountnum '.$_[0]->pkgdiscountnum;
+            return encode_entities $discount->description;
         } else {
             return 'Waive setup fee';
         }
@@ -53,7 +53,7 @@ Parameters:
             my $discount = qsearchs('discount',{
                 discountnum => $_[0]->discountnum
             });
-            return $discount->classname;
+            return encode_entities $discount->classname;
         } else {
             return 'n/a';
         }
-- 
2.11.0