From da63c1a666c4a6ff2ca9ac8a53986f4497252909 Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Sat, 11 Jul 2015 23:44:45 -0700
Subject: [PATCH] secure $cgi->param calls (and include to <& &>)

---
 httemplate/misc/email-customers.html | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

diff --git a/httemplate/misc/email-customers.html b/httemplate/misc/email-customers.html
index 0c90b07e7..d2a39287e 100644
--- a/httemplate/misc/email-customers.html
+++ b/httemplate/misc/email-customers.html
@@ -50,13 +50,12 @@ should be used to set msgnum or from/subject/html_body cgi params
 
     <FONT SIZE="+2">Sending notice</FONT>
 
-    <% include('/elements/progress-init.html',
+    <& /elements/progress-init.html,
                  'OneTrueForm',
                  [ qw( search table from subject html_body text_body msgnum ) ],
                  $process_url,
                  $pdest,
-              )
-    %>
+    &>
 
 % } elsif ( $cgi->param('action') eq 'preview' ) {
 
@@ -67,29 +66,26 @@ should be used to set msgnum or from/subject/html_body cgi params
 % if ( $cgi->param('action') ) {
 
     <TABLE CLASS="fsinnerbox">
-    <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% $cgi->param('msgnum') %>">
+    <INPUT TYPE="hidden" NAME="msgnum" VALUE="<% scalar($cgi->param('msgnum')) %>">
 
 %   if ( $msg_template ) {
-      <% include('/elements/tr-fixed.html',
+      <& /elements/tr-fixed.html,
                    'label'      => 'Template:',
                    'value'      => $msg_template->msgname,
-                )
-      %>
+      &>
 % }
 
-      <% include('/elements/tr-fixed.html',
+      <& /elements/tr-fixed.html,
                    'field'      => 'from',
                    'label'      => 'From:',
                    'value' => scalar( $from ),
-                )
-      %>
+      &>
 
-      <% include('/elements/tr-fixed.html',
+      <& /elements/tr-fixed.html,
                    'field'      => 'subject',
                    'label'      => 'Subject:',
                    'value' => scalar( $subject ),
-                )
-      %>
+      &>
 
       <INPUT TYPE="hidden" NAME="html_body" VALUE="<% $html_body |h %>">
       <TR><TD COLSPAN=2>&nbsp;</TD></TR>
@@ -175,12 +171,11 @@ Template:
               'size'  => 20,
           &>&gt;</TD>
  
-    <% include('/elements/tr-input-text.html',
+    <& /elements/tr-input-text.html,
                  'field' => 'subject',
                  'label' => 'Subject:',
                  'size'  => 50,
-              )
-    %>
+    &>
 
     <TR>
       <TD ALIGN="right" VALIGN="top" STYLE="padding-top:3px">Message: </TD>
@@ -208,7 +203,7 @@ Template:
     </SCRIPT>
 % }
 
-<% include('/elements/footer.html') %>
+<& /elements/footer.html &>
 
 <%init>
 
@@ -237,7 +232,7 @@ $pdest->{'url'} = $cgi->param('url') if $url;
 
 my %search;
 if ( $cgi->param('search') ) {
-  %search = %{ thaw(decode_base64($cgi->param('search'))) };
+  %search = %{ thaw(decode_base64( $cgi->param('search') )) };
 }
 else {
   %search = $cgi->Vars;
@@ -282,7 +277,7 @@ if ( $cgi->param('action') eq 'preview' ) {
 
   if ( $cgi->param('msgnum') ) {
     $msg_template = qsearchs('msg_template', 
-                             { msgnum => $cgi->param('msgnum') } )
+                             { msgnum => scalar($cgi->param('msgnum')) } )
         or die "template not found: ".$cgi->param('msgnum');
     $sql_query->{'extra_sql'} .= ' LIMIT 1';
     $sql_query->{'select'} = "$table.*";
-- 
2.11.0