From ae2a98aa6d846caf5a2d597b0ff7c916ace24a6e Mon Sep 17 00:00:00 2001 From: Ivan Kohler Date: Sat, 11 Jul 2015 23:46:49 -0700 Subject: [PATCH] secure $cgi->param calls (and include to <& &>) --- httemplate/misc/email-customers.html | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html index 57f451fdc..09ff93cca 100644 --- a/httemplate/misc/email-customers.html +++ b/httemplate/misc/email-customers.html @@ -51,13 +51,12 @@ should be used to set msgnum or from/subject/html_body cgi params Sending notice - <% include('/elements/progress-init.html', + <& /elements/progress-init.html, 'OneTrueForm', [ qw( search table from subject html_body text_body msgnum ) ], $process_url, $pdest, - ) - %> + &> % } elsif ( $cgi->param('action') eq 'preview' ) { @@ -68,7 +67,7 @@ should be used to set msgnum or from/subject/html_body cgi params % if ( $cgi->param('action') ) { - + % if ( $msg_template ) { <% include('/elements/tr-fixed.html', @@ -160,12 +159,11 @@ Template: 'size' => 20, &>> - <% include('/elements/tr-input-text.html', + <& /elements/tr-input-text.html, 'field' => 'subject', 'label' => 'Subject:', 'size' => 50, - ) - %> + &> @@ -193,7 +191,7 @@ Template: % } -<% include('/elements/footer.html') %> +<& /elements/footer.html &> <%init> @@ -222,7 +220,7 @@ $pdest->{'url'} = $cgi->param('url') if $url; my %search; if ( $cgi->param('search') ) { - %search = %{ thaw(decode_base64($cgi->param('search'))) }; + %search = %{ thaw(decode_base64( $cgi->param('search') )) }; } else { %search = $cgi->Vars; @@ -267,7 +265,7 @@ if ( $cgi->param('action') eq 'preview' ) { if ( $cgi->param('msgnum') ) { $msg_template = qsearchs('msg_template', - { msgnum => $cgi->param('msgnum') } ) + { msgnum => scalar($cgi->param('msgnum')) } ) or die "template not found: ".$cgi->param('msgnum'); $sql_query->{'extra_sql'} .= ' LIMIT 1'; $sql_query->{'select'} = "$table.*"; -- 2.11.0
Message: