From f6ad19602096411e6248750d840f0a6e2e0ee036 Mon Sep 17 00:00:00 2001 From: mark Date: Thu, 25 Mar 2010 01:37:19 +0000 Subject: [PATCH] RT#6226: security fix for customer notes --- FS/FS/Mason.pm | 10 +++++++++- httemplate/view/cust_main/notes.html | 4 +++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/FS/FS/Mason.pm b/FS/FS/Mason.pm index be16bbb27..4c8c808cd 100644 --- a/FS/FS/Mason.pm +++ b/FS/FS/Mason.pm @@ -70,6 +70,7 @@ if ( -e $addl_handler_use_file ) { use HTML::Entities; use HTML::TreeBuilder; use HTML::FormatText; + use HTML::Defang; use JSON; use MIME::Base64; use IO::Handle; @@ -408,6 +409,8 @@ I should be set to a scalar reference in standalone mode. =cut +my %defang_opts = ( attribs_to_callback => ['src'], attribs_callback => sub { 1 }); + sub mason_interps { my $mode = shift || 'apache'; my %opt = @_; @@ -451,6 +454,8 @@ sub mason_interps { $interp{out_method} = $opt{outbuf} if $mode eq 'standalone' && $opt{outbuf}; + my $html_defang = new HTML::Defang (%defang_opts); + my $fs_interp = new HTML::Mason::Interp ( %interp, escape_flags => { 'js_string' => sub { @@ -458,7 +463,10 @@ sub mason_interps { ${$_[0]} =~ s/(['\\])/\\$1/g; ${$_[0]} =~ s/\n/\\n/g; ${$_[0]} = "'". ${$_[0]}. "'"; - } + }, + 'defang' => sub { + ${$_[0]} = $html_defang->defang(${$_[0]}); + }, }, compiler => HTML::Mason::Compiler::ToObject->new( allow_globals => [qw(%session)], diff --git a/httemplate/view/cust_main/notes.html b/httemplate/view/cust_main/notes.html index a6378f46a..a39610ac5 100755 --- a/httemplate/view/cust_main/notes.html +++ b/httemplate/view/cust_main/notes.html @@ -53,7 +53,7 @@  <% $note->otaker%> -  <%$note->comments%> +  <% $note->comments | defang %> % if($edit) { <% $edit %> @@ -67,6 +67,8 @@ % } <%init> +use HTML::Defang; + my $conf = new FS::Conf; my $curuser = $FS::CurrentUser::CurrentUser; -- 2.11.0