RT# 74666 - fixed vulnerability by escaping quotation_description var

author Christopher Burger <burgerc@freeside.biz>

Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)

committer Christopher Burger <burgerc@freeside.biz>

Fri, 30 Jun 2017 21:54:12 +0000 (17:54 -0400)
author Christopher Burger <burgerc@freeside.biz>
Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)
committer Christopher Burger <burgerc@freeside.biz>
Fri, 30 Jun 2017 21:54:12 +0000 (17:54 -0400)
diff --git a/httemplate/view/quotation.html b/httemplate/view/quotation.html

index 4769934..0e3e8b3 100755 (executable)
--- a/httemplate/view/quotation.html
+++ b/httemplate/view/quotation.html
@@ -11,7 +11,7 @@ function areyousure(href, message) {
  % if ( $quotation->custnum ) {
    <h2>Quotation #<% $quotationnum %>
  %   if ($quotation->quotation_description) {
-      (<% $quotation->quotation_description %>)  
+      (<% $quotation->quotation_description |h %>)  
  %   } 
    </h2>
  % }
author	Christopher Burger <burgerc@freeside.biz>
	Fri, 30 Jun 2017 17:24:29 +0000 (13:24 -0400)
committer	Christopher Burger <burgerc@freeside.biz>
	Fri, 30 Jun 2017 21:54:12 +0000 (17:54 -0400)