From 975dd6a835518c108373765ce1d717dcf24ab096 Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Thu, 23 Jun 2022 11:05:26 +0200
Subject: [PATCH] weborder: Read prices from catalogue, not from the HTTP
 request.

* cgi-bin/weborder.pl: Parse order/catalogue.xml to look up prices for
item id.
* order/order.xsl: Do not generate hidden form input for price.
---
 cgi-bin/weborder.pl | 18 +++++++++++-------
 order/order.xsl     | 15 ---------------
 2 files changed, 11 insertions(+), 22 deletions(-)

diff --git a/cgi-bin/weborder.pl b/cgi-bin/weborder.pl
index 7e85ced1b7..ea720f508b 100755
--- a/cgi-bin/weborder.pl
+++ b/cgi-bin/weborder.pl
@@ -23,6 +23,7 @@ use Encode qw(decode encode);
 use POSIX qw(strftime);
 use Digest::SHA qw(sha1_hex);
 use MIME::Lite;
+use XML::LibXML;
 use utf8;
 
 # -----------------------------------------------------------------------------
@@ -56,7 +57,7 @@ if ($country_code eq 'DE') {
   $shipping = 8;
 }
 
-# Remove all parameters except for items and prices.
+# Remove all parameters except for items.
 $query->delete("url", "name", "address", "zip", "city", "country", "email", "phone", "language");
 
 my $lang = substr $language, 0, 2;
@@ -83,13 +84,16 @@ if (!$email) {
   exit;
 }
 
+my $catalogue_file = $ENV{"DOCUMENT_ROOT"} . "/order/catalogue.xml";
+my $catalogue = XML::LibXML->load_xml(location => $catalogue_file);
+
 my $count = 0;
 my $amount = 0;
 
 foreach $item ($query->param) {
   $value = $query->param($item);
-  if (not $item =~ /^_/ and $value) {
-    my $price = $query->param("_$item");
+  if ($value) {
+    my $price = $catalogue->findvalue("/catalogue/item[\@id=\"$item\"]/\@price");
     $count += 1;
     $amount += $value * $price;
   }
@@ -131,8 +135,8 @@ my $body = "$name\n$address\n$zip $city\n$country_name\nPhone: $phone\n\n";
 
 foreach $item ($query->param) {
   $value = $query->param($item);
-  if (not $item =~ /^_/ and $value) {
-    my $price = $query->param("_$item");
+  if ($value) {
+    my $price = $catalogue->findvalue("/catalogue/item[\@id=\"$item\"]/\@price");
     $body .= sprintf "%-30s %3u x %5.2f = %6.2f\n", $item, $value, $price, $value * $price;
   }
 }
@@ -165,8 +169,8 @@ push @odtfill, "ZipCity=" . $zip . " " . $city;
 push @odtfill, "Country=" . $country_name;
 foreach $item ($query->param) {
   $value = $query->param($item);
-  if (not $item =~ /^_/ and $value) {
-    my $price = $query->param("_$item");
+  if ($value) {
+    my $price = $catalogue->findvalue("/catalogue/item[\@id=\"$item\"]/\@price");
     push @odtfill, "Count=" . $value;
     push @odtfill, "Item=" . $item;
     push @odtfill, "Amount=" . sprintf "%.2f", $value * $price;
diff --git a/order/order.xsl b/order/order.xsl
index 437a200b74..9301f0f70c 100644
--- a/order/order.xsl
+++ b/order/order.xsl
@@ -127,21 +127,6 @@
                     <xsl:value-of select="@size"/>
                   </xsl:attribute>
                 </xsl:element>
-
-                <!-- Hidden input to pass price into CGI script -->
-                <xsl:element name="input">
-                  <xsl:attribute name="type">hidden</xsl:attribute>
-                  <xsl:attribute name="name">
-                    <xsl:text>_</xsl:text>
-                    <xsl:value-of select="$id"/>
-                    <xsl:text>_</xsl:text>
-                    <xsl:value-of select="@size"/>
-                  </xsl:attribute>
-                  <xsl:attribute name="value">
-                    <xsl:value-of select="$price"/>
-                  </xsl:attribute>
-                </xsl:element>
-
               </xsl:element>
             </xsl:for-each>
           </xsl:element>