SQL-Injection vermeiden. Fix für Revisionen 2936, 2937.

[kivitendo-erp.git] / SL / Form.pm

diff --git a/SL/Form.pm b/SL/Form.pm
index a926b3cdd9c63433bc768afb1eeba4322e8210fb..f43578bb623e43a5c15fb7e5deef0c0a8529215d 100644 (file)
--- a/SL/Form.pm
+++ b/SL/Form.pm
@@ -39,7 +39,6 @@ package Form;
 use Data::Dumper;
 
 use Cwd;
-use HTML::Template;
 use Template;
 use SL::Template;
 use CGI::Ajax;
@@ -556,42 +555,12 @@ sub parse_html_template {
 
   $file = $self->_prepare_html_template($file, $additional_params);
 
-  my $template = HTML::Template->new("filename" => $file,
-                                     "die_on_bad_params" => 0,
-                                     "strict" => 0,
-                                     "case_sensitive" => 1,
-                                     "loop_context_vars" => 1,
-                                     "global_vars" => 1);
-
-  foreach my $key ($template->param()) {
-    my $param = $additional_params->{$key} || $self->{$key};
-    $param = [] if (($template->query("name" => $key) eq "LOOP") && (ref($param) ne "ARRAY"));
-    $template->param($key => $param);
-  }
-
-  my $output = $template->output();
-
-  $output = $main::locale->{iconv}->convert($output) if ($main::locale);
-
-  $main::lxdebug->leave_sub();
-
-  return $output;
-}
-
-sub parse_html_template2 {
-  $main::lxdebug->enter_sub();
-
-  my ($self, $file, $additional_params) = @_;
-
-  $additional_params ||= { };
-
-  $file = $self->_prepare_html_template($file, $additional_params);
-
-  my $template = Template->new({ 'INTERPOLATE' => 0,
-                                 'EVAL_PERL'   => 0,
-                                 'ABSOLUTE'    => 1,
-                                 'CACHE_SIZE'  => 0,
-                                 'PLUGIN_BASE' => 'SL::Template::Plugin',
+  my $template = Template->new({ 'INTERPOLATE'  => 0,
+                                 'EVAL_PERL'    => 0,
+                                 'ABSOLUTE'     => 1,
+                                 'CACHE_SIZE'   => 0,
+                                 'PLUGIN_BASE'  => 'SL::Template::Plugin',
+                                 'INCLUDE_PATH' => '.:templates/webpages',
                                }) || die;
 
   map { $additional_params->{$_} ||= $self->{$_} } keys %{ $self };
@@ -611,9 +580,10 @@ sub parse_html_template2 {
 sub show_generic_error {
   my ($self, $error, $title, $action) = @_;
 
-  my $add_params = {};
-  $add_params->{"title"} = $title if ($title);
-  $self->{"label_error"} = $error;
+  my $add_params = {
+    'title_error' => $title,
+    'label_error' => $error,
+  };
 
   my @vars;
   if ($action) {
@@ -626,21 +596,26 @@ sub show_generic_error {
   }
   $add_params->{"VARIABLES"} = \@vars;
 
+  $self->{title} = $title if ($title);
+
   $self->header();
-  print($self->parse_html_template("generic/error", $add_params));
+  print $self->parse_html_template("generic/error", $add_params);
 
   die("Error: $error\n");
 }
 
 sub show_generic_information {
-  my ($self, $error, $title) = @_;
+  my ($self, $text, $title) = @_;
+
+  my $add_params = {
+    'title_information' => $title,
+    'label_information' => $text,
+  };
 
-  my $add_params = {};
-  $add_params->{"title"} = $title if ($title);
-  $self->{"label_information"} = $error;
+  $self->{title} = $title if ($title);
 
   $self->header();
-  print($self->parse_html_template("generic/information", $add_params));
+  print $self->parse_html_template("generic/information", $add_params);
 
   die("Information: $error\n");
 }