clean attachment filenames, #13843

[freeside.git] / httemplate / view / cust_main / attachments.html

diff --git a/httemplate/view/cust_main/attachments.html b/httemplate/view/cust_main/attachments.html
index dbb29a7..718cf76 100755 (executable)
--- a/httemplate/view/cust_main/attachments.html
+++ b/httemplate/view/cust_main/attachments.html
@@ -82,15 +82,15 @@
     <TR>
       <% note_datestr($attach,$conf,$bgcolor) %>
       <TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
-        &nbsp;<% $attach->otaker%>
+        &nbsp;<% $attach->usernum ? $attach->access_user->name : $attach->otaker %>
       </TD>
       <TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
-       &nbsp;<% $attach->filename %>
+       &nbsp;<% $attach->filename |h %>
       </TD>
       <TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
-       &nbsp;<% $attach->title %>
+       &nbsp;<% $attach->title |h %>
       <TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
-       &nbsp;<% $attach->mime_type %>
+       &nbsp;<% $attach->mime_type |h %>
       </TD>
       <TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
        &nbsp;<% size_units( $attach->size ) %>
@@ -109,7 +109,7 @@
 
 my $conf = new FS::Conf;
 my $curuser = $FS::CurrentUser::CurrentUser;
-
+die "access denied" if !$curuser->access_right('View attachments');
 my(%opt) = @_;
 
 my $custnum = $opt{'custnum'};