Menu
▾
▴
[Web-erp-svn] SF.net SVN: web-erp:[4841] trunk
|
From: <dai...@us...> - 2012-01-27 10:12:37
|
Revision: 4841
http://web-erp.svn.sourceforge.net/web-erp/?rev=4841&view=rev
Author: daintree
Date: 2012-01-27 10:12:31 +0000 (Fri, 27 Jan 2012)
Log Message:
-----------
fixed html display from StatusComments POST using htmlentities
Modified Paths:
--------------
trunk/GLJournal.php
trunk/PO_AuthoriseMyOrders.php
trunk/doc/Change.log
Modified: trunk/GLJournal.php
===================================================================
--- trunk/GLJournal.php 2012-01-25 23:23:13 UTC (rev 4840)
+++ trunk/GLJournal.php 2012-01-27 10:12:31 UTC (rev 4841)
@@ -318,9 +318,7 @@
if (!isset($_POST['GLManualCode'])) {
$_POST['GLManualCode']='';
}
-echo '<td><input class="number" type="text" Name="GLManualCode" Maxlength="12" size="12" onChange="inArray(this.value, GLCode.options,'.
- "'".'The account code '."'".'+ this.value+ '."'".' doesnt exist'."'".')"' .
- ' value="'. $_POST['GLManualCode'] .'" /></td>';
+echo '<td><input class="number" type="text" name="GLManualCode" maxlength="12" size="12" onChange="inArray(this.value, GLCode.options,'. "'".'The account code '."'".'+ this.value+ '."'".' doesnt exist'."'".')" value="'. $_POST['GLManualCode'] .'" /></td>';
$sql="SELECT accountcode,
accountname
Modified: trunk/PO_AuthoriseMyOrders.php
===================================================================
--- trunk/PO_AuthoriseMyOrders.php 2012-01-25 23:23:13 UTC (rev 4840)
+++ trunk/PO_AuthoriseMyOrders.php 2012-01-27 10:12:31 UTC (rev 4841)
@@ -20,8 +20,7 @@
if (mb_substr($key,0,6)=='status') {
$OrderNo=mb_substr($key,6);
$Status=$_POST['status'.$OrderNo];
- $Comment=date($_SESSION['DefaultDateFormat']).' - '._('Authorised by').' <a href="mailto:' . $EmailRow['email'].'">'.$_SESSION['UserID'].'</a>
- <br />' . $_POST['comment'];
+ $Comment=date($_SESSION['DefaultDateFormat']).' - '._('Authorised by').' <a href="mailto:' . $EmailRow['email'].'">'.$_SESSION['UserID'].'</a><br />' . $_POST['comment'];
$sql="UPDATE purchorders
SET status='".$Status."',
stat_comment='".$Comment."',
@@ -88,14 +87,14 @@
<td>'.ConvertSQLDate($myrow['orddate']).'</td>
<td><a href="mailto:'.$myrow['email'].'">'.$myrow['realname'].'</td>
<td>'.ConvertSQLDate($myrow['deliverydate']).'</td>
- <td><select name=status'.$myrow['orderno'].'>
+ <td><select name="status'.$myrow['orderno'].'">
<option selected="selected" value="Pending">'._('Pending').'</option>
<option value="Authorised">'._('Authorised').'</option>
<option value="Rejected">'._('Rejected').'</option>
<option value="Cancelled">'._('Cancelled').'</option>
</select></td>
</tr>';
- echo '<input type="hidden" name="comment" value="' . $myrow['stat_comment'] . '" />';
+ echo '<input type="hidden" name="comment" value="' . htmlentities($myrow['stat_comment'], ENT_QUOTES,'UTF-8') . '" />';
$LineSQL="SELECT purchorderdetails.*,
stockmaster.description,
stockmaster.decimalplaces
@@ -131,10 +130,16 @@
<td class="number">'.locale_number_format($LineRow['unitprice']*$LineRow['quantityord'],$myrow['currdecimalplaces']).'</td>
</tr>';
} // end while order line detail
- echo '</table></td></tr>';
+ echo '</table>
+ </td>
+ </tr>';
}
} //end while header loop
echo '</table>';
-echo '<br /><div class="centre"><input type="submit" name="UpdateAll" value="' . _('Update'). '" /></form>';
+echo '<br />
+ <div class="centre">
+ <input type="submit" name="UpdateAll" value="' . _('Update'). '" />
+ </div>
+ </form>';
include('includes/footer.inc');
?>
\ No newline at end of file
Modified: trunk/doc/Change.log
===================================================================
--- trunk/doc/Change.log 2012-01-25 23:23:13 UTC (rev 4840)
+++ trunk/doc/Change.log 2012-01-27 10:12:31 UTC (rev 4841)
@@ -1,5 +1,6 @@
webERP Change Log
+27/1/12 Phil: PO_AuthoriseMyOrders.php fixed html in hidden $_POST['StatusComments'] by using htmlentities($_POST['StatusComments'])
25/1/12 Vitaly: Added quotes and missing closing tags in multiple files
24/1/12 Vitaly: Added quotes to attributes in multiple files and changed option selected to selected="selected".
23/1/12 Vitaly: Added quotes to attributes in multiple files.
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
