Keine direkt vom Browser stammenden Strings bei open() verwenden.

[kivitendo-erp.git] / bin / mozilla / common.pl

diff --git a/bin/mozilla/common.pl b/bin/mozilla/common.pl
index ff5cc75..f4a07f6 100644 (file)
--- a/bin/mozilla/common.pl
+++ b/bin/mozilla/common.pl
@@ -47,7 +47,7 @@ sub build_std_url {
 
   my $url = "$form->{script}?";
   my $first = 1;
-  foreach my $key ((qw(login password path), @_)) {
+  foreach my $key ((qw(login password), @_)) {
     next unless ($key);
     $url .= "&" unless ($first);
     $first = 0;
@@ -97,7 +97,7 @@ sub select_employee_internal {
 
   restore_form($form->{"old_form"});
 
-  &{ $callback_sub }($new_id, $new_name);
+  call_sub($callback_sub, $new_id, $new_name);
 
   $lxdebug->leave_sub();
 }
@@ -167,7 +167,7 @@ sub select_part_internal {
 
   restore_form($form->{"old_form"});
 
-  &{ $callback_sub }($new_item);
+  call_sub($callback_sub, $new_item);
 
   $lxdebug->leave_sub();
 }
@@ -543,4 +543,24 @@ sub show_history {
        $lxdebug->leave_sub();  
 }
 
+sub call_sub {
+  $lxdebug->enter_sub();
+
+  my $name = shift;
+
+  if (!$name) {
+    $form->error($locale->text("Trying to call a sub without a name"));
+  }
+
+  $name =~ s/[^a-zA-Z0-9_]//g;
+
+  if (!defined(&{ $name })) {
+    $form->error(sprintf($locale->text("Attempt to call an undefined sub named '%s'"), $name));
+  }
+
+  &{ $name }(@_);
+
+  $lxdebug->leave_sub();
+}
+
 1;