allow punctuation in tax name on tax report, #33255

diff --git a/FS/FS/Report/Tax.pm b/FS/FS/Report/Tax.pm
index f3f441d..23c1645 100644 (file)
--- a/FS/FS/Report/Tax.pm
+++ b/FS/FS/Report/Tax.pm
@@ -41,13 +41,9 @@ sub report_internal {
 
   my ($taxname, $country, %breakdown);
 
-  # purify taxname properly here, as we're going to include it in lots of 
-  # SQL statements using single quotes only
-  if ( $opt{taxname} =~ /^([\w\s]+)$/ ) {
-    $taxname = $1;
-  } else {
-    die "taxname required"; # UI prevents this
-  }
+  # taxname can contain arbitrary punctuation; escape it properly and 
+  # include $taxname unquoted elsewhere
+  $taxname = dbh->quote($opt{'taxname'});
 
   if ( $opt{country} =~ /^(\w\w)$/ ) {
     $country = $1;
@@ -103,7 +99,7 @@ sub report_internal {
      GROUP BY billpkgnum, taxnum";
 
   my $where = "WHERE cust_bill._date >= $beginning AND cust_bill._date <= $ending ".
-              "AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname' ".
+              "AND COALESCE(cust_main_county.taxname,'Tax') = $taxname ".
               "AND cust_main_county.country = '$country'";
   # SELECT/GROUP clauses for first-level queries
   my $select = "SELECT ";
@@ -370,14 +366,14 @@ sub report_internal {
       SELECT 1 FROM cust_tax_exempt_pkg
         JOIN cust_main_county USING (taxnum)
         WHERE cust_tax_exempt_pkg.billpkgnum = cust_bill_pkg.billpkgnum
-          AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+          AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
           AND cust_tax_exempt_pkg.creditbillpkgnum IS NULL
     )
     AND NOT EXISTS(
       SELECT 1 FROM cust_bill_pkg_tax_location
         JOIN cust_main_county USING (taxnum)
         WHERE cust_bill_pkg_tax_location.taxable_billpkgnum = cust_bill_pkg.billpkgnum
-          AND COALESCE(cust_main_county.taxname,'Tax') = '$taxname'
+          AND COALESCE(cust_main_county.taxname,'Tax') = $taxname
     )
   ";
   warn "\nOUTSIDE:\n$sql_outside\n" if $DEBUG;

diff --git a/httemplate/search/report_tax.cgi b/httemplate/search/report_tax.cgi
index 83f2fc5..491cd42 100644 (file)
--- a/httemplate/search/report_tax.cgi
+++ b/httemplate/search/report_tax.cgi
@@ -151,7 +151,7 @@ TD.rowhead { font-weight: bold; text-align: left; padding: 0px 3px }
         <% emt('Out of taxable region') %>
       </TD>
       <TD STYLE="text-align: right">
-        <A HREF="<% $saleslink %>;out=1;taxname=<% $params{taxname} %>">
+        <A HREF="<% $saleslink %>;out=1;taxname=<% encode_entities($params{'taxname'}) %>">
           <% $money_sprintf->( $report->{outside } ) %>
         </A>
       </TD>
@@ -188,8 +188,9 @@ if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
   $agentname = $agent->agentname;
 }
 
-if ( $cgi->param('taxname') =~ /^([\w ]+)$/ ) {
-  $params{taxname} = $1;
+# allow anything in here; FS::Report::Tax will treat it as unsafe
+if ( length($cgi->param('taxname')) ) {
+  $params{taxname} = $cgi->param('taxname');
 } else {
   die "taxname required";
 }