From a7742614df5c5e4ccd056d25ab01134c19ff2826 Mon Sep 17 00:00:00 2001
From: Mike Koch <mkoch227@gmail.com>
Date: Mon, 20 Nov 2017 22:16:46 -0500
Subject: [PATCH] Update pages for HESK 2.7.4

---
 admin/admin_reply_ticket.php                  | 13 ++++++-
 admin/admin_settings_save.php                 |  1 +
 admin/admin_ticket.php                        |  3 +-
 admin/assign_owner.php                        |  3 +-
 admin/export.php                              |  2 +-
 admin/find_tickets.php                        | 13 ++++---
 admin/index.php                               |  4 +-
 admin/manage_email_templates.php              |  2 +
 admin/manage_knowledgebase.php                |  8 +++-
 admin/move_category.php                       |  6 +--
 admin/new_ticket.php                          |  4 +-
 admin/profile.php                             |  2 +-
 admin/reports.php                             |  2 +-
 api/BusinessLogic/Emails/BasicEmailSender.php |  4 ++
 .../Emails/EmailTemplateParser.php            | 16 ++++++++
 api/Core/database.inc.php                     |  2 +-
 api/Core/database_mysqli.inc.php              |  2 +-
 cron/core/database.inc.php                    |  2 +-
 cron/core/database_mysqli.inc.php             |  2 +-
 inc/admin_functions.inc.php                   |  6 +--
 inc/common.inc.php                            | 38 ++++++++++++++++++-
 inc/email_functions.inc.php                   | 36 +++++++++++++++---
 inc/pipe_functions.inc.php                    |  2 +-
 inc/posting_functions.inc.php                 |  5 ++-
 index.php                                     |  4 +-
 install/install_functions.inc.php             |  2 +-
 internal-api/core/database.inc.php            |  2 +-
 internal-api/core/database_mysqli.inc.php     |  2 +-
 knowledgebase.php                             |  4 +-
 .../en/emails/html/new_reply_by_customer.txt  |  2 +-
 .../en/emails/html/new_reply_by_staff.txt     |  5 ++-
 language/en/emails/html/ticket_closed.txt     |  2 +-
 language/en/emails/ticket_closed.txt          |  3 +-
 language/en/text.php                          |  3 +-
 reply_ticket.php                              |  3 +-
 submit_ticket.php                             |  2 +-
 ticket.php                                    |  4 +-
 37 files changed, 161 insertions(+), 55 deletions(-)

diff --git a/admin/admin_reply_ticket.php b/admin/admin_reply_ticket.php
index 29a0d5c8..834ceb6c 100644
--- a/admin/admin_reply_ticket.php
+++ b/admin/admin_reply_ticket.php
@@ -294,6 +294,15 @@ $sql .= $submit_as_customer ? "`lastreplier`='0', `replierid`='0' " : "`lastrepl
 if ($time_worked == '00:00:00') {
     $sql .= ", `lastchange` = NOW() ";
 } else {
+    $parts = explode(':', $ticket['time_worked']);
+    $seconds = ($parts[0] * 3600) + ($parts[1] * 60) + $parts[2];
+
+    $parts = explode(':', $time_worked);
+    $seconds += ($parts[0] * 3600) + ($parts[1] * 60) + $parts[2];
+
+    require(HESK_PATH . 'inc/reporting_functions.inc.php');
+    $ticket['time_worked'] = hesk_SecondsToHHMMSS($seconds);
+
     $sql .= ",`time_worked` = ADDTIME(`time_worked`,'" . hesk_dbEscape($time_worked) . "') ";
 }
 
@@ -363,7 +372,9 @@ $info = array(
     'dt' => hesk_date($ticket['dt'], true),
     'lastchange' => hesk_date($ticket['lastchange'], true),
     'id' => $ticket['id'],
-    'language' => $ticket['language']
+    'language' => $ticket['language'],
+    'time_worked'   => $ticket['time_worked'],
+    'last_reply_by'	=> ($submit_as_customer ? $ticket['name'] : $_SESSION['name']),
 );
 
 // 2. Add custom fields to the array
diff --git a/admin/admin_settings_save.php b/admin/admin_settings_save.php
index 7113cd6f..ee1d8181 100644
--- a/admin/admin_settings_save.php
+++ b/admin/admin_settings_save.php
@@ -62,6 +62,7 @@ $set['noreply_mail'] = hesk_validateEmail(hesk_POST('s_noreply_mail'), $hesklang
 $set['noreply_name'] = hesk_input(hesk_POST('s_noreply_name'));
 $set['noreply_name'] = str_replace(array('\\&quot;', '&lt;', '&gt;'), '', $set['noreply_name']);
 $set['noreply_name'] = trim(preg_replace('/\s{2,}/', ' ', $set['noreply_name']));
+$set['noreply_name']    = preg_replace("/\n|\r|\t|%0A|%0D|%08|%09/", '', $set['noreply_name']);
 
 /* --> Language settings */
 $set['can_sel_lang'] = empty($_POST['s_can_sel_lang']) ? 0 : 1;
diff --git a/admin/admin_ticket.php b/admin/admin_ticket.php
index 0210de9d..978f8112 100644
--- a/admin/admin_ticket.php
+++ b/admin/admin_ticket.php
@@ -423,13 +423,14 @@ if (isset($_POST['notemsg']) && hesk_token_check('POST')) {
                 'trackid' => $ticket['trackid'],
                 'status' => $ticket['status'],
                 'name' => $_SESSION['name'],
-                'lastreplier' => $ticket['lastreplier'],
                 'subject' => $ticket['subject'],
                 'message' => stripslashes($msg),
                 'dt' => hesk_date($ticket['dt'], true),
                 'lastchange' => hesk_date($ticket['lastchange'], true),
                 'attachments' => $myattachments,
                 'id' => $ticket['id'],
+                'time_worked'   => $ticket['time_worked'],
+                'last_reply_by' => $ticket['repliername'],
             );
 
             // 2. Add custom fields to the array
diff --git a/admin/assign_owner.php b/admin/assign_owner.php
index e875b2a5..e103e8aa 100755
--- a/admin/assign_owner.php
+++ b/admin/assign_owner.php
@@ -129,13 +129,14 @@ $info = array(
     'trackid' => $ticket['trackid'],
     'status' => $ticket['status'],
     'name' => $ticket['name'],
-    'lastreplier' => $ticket['lastreplier'],
     'subject' => $ticket['subject'],
     'message' => $ticket['message'],
     'attachments' => $ticket['attachments'],
     'dt' => hesk_date($ticket['dt'], true),
     'lastchange' => hesk_date($ticket['lastchange'], true),
     'id' => $ticket['id'],
+    'time_worked'   => $ticket['time_worked'],
+    'last_reply_by' => hesk_getReplierName($ticket),
 );
 
 // 2. Add custom fields to the array
diff --git a/admin/export.php b/admin/export.php
index 1e4e543e..c0a366e6 100644
--- a/admin/export.php
+++ b/admin/export.php
@@ -697,7 +697,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
                                 (<?php echo $hesklang['m' . date('n')]; ?>)
                             </option>
                             <option value="4" <?php echo $selected['time'][4]; ?>><?php echo $hesklang['r4']; ?>
-                                (<?php echo $hesklang['m' . date('n', mktime(0, 0, 0, date('m') - 1, date('d'), date('Y')))]; ?>
+                                (<?php echo $hesklang['m' . date('n', mktime(0, 0, 0, date('m') - 1, 1, date('Y')))]; ?>
                                 )
                             </option>
                             <option value="5" <?php echo $selected['time'][5]; ?>><?php echo $hesklang['r5']; ?></option>
diff --git a/admin/find_tickets.php b/admin/find_tickets.php
index c9bcd812..350bb27b 100644
--- a/admin/find_tickets.php
+++ b/admin/find_tickets.php
@@ -145,21 +145,21 @@ LEFT(`message`, 400) AS `message`,
                                 $sql .= " ( `trackid` = '" . hesk_dbEscape($q) . "' OR `merged` LIKE '%#" . hesk_dbEscape($q) . "#%' ) ";
                                 break;
                             case 'name':
-                                $sql .= "`name` LIKE '%" . hesk_dbEscape($q) . "%' COLLATE '" . hesk_dbCollate() . "' ";
+                                $sql  .= "`name` LIKE '%".hesk_dbEscape( hesk_dbLike($q) )."%' COLLATE '" . hesk_dbCollate() . "' ";
                                 break;
                             case 'email':
                                 $sql .= "`email` LIKE '%" . hesk_dbEscape($q) . "%' ";
                                 break;
                             case 'subject':
-                                $sql .= "`subject` LIKE '%" . hesk_dbEscape($q) . "%' COLLATE '" . hesk_dbCollate() . "' ";
+                                $sql  .= "`subject` LIKE '%".hesk_dbEscape( hesk_dbLike($q) )."%' COLLATE '" . hesk_dbCollate() . "' ";
                                 break;
                             case 'message':
-                                $sql .= " ( `message` LIKE '%" . hesk_dbEscape($q) . "%' COLLATE '" . hesk_dbCollate() . "'
+                                $sql  .= " ( `message` LIKE '%".hesk_dbEscape( hesk_dbLike($q) )."%' COLLATE '" . hesk_dbCollate() . "'
             		OR
                     `id` IN (
             		SELECT DISTINCT `replyto`
                 	FROM   `" . hesk_dbEscape($hesk_settings['db_pfix']) . "replies`
-                	WHERE  `message` LIKE '%" . hesk_dbEscape($q) . "%' COLLATE '" . hesk_dbCollate() . "' )
+                	WHERE  `message` LIKE '%".hesk_dbEscape( hesk_dbLike($q) )."%' COLLATE '" . hesk_dbCollate() . "' )
                     )
                     ";
                                 break;
@@ -170,7 +170,7 @@ LEFT(`message`, 400) AS `message`,
                                 $sql .= "`id` IN (
             		SELECT DISTINCT `ticket`
                 	FROM   `" . hesk_dbEscape($hesk_settings['db_pfix']) . "notes`
-                	WHERE  `message` LIKE '%" . hesk_dbEscape($q) . "%' COLLATE '" . hesk_dbCollate() . "' )
+                	WHERE  `message` LIKE '%".hesk_dbEscape( hesk_dbLike($q) )."%' COLLATE '" . hesk_dbCollate() . "' )
                 	";
                                 break;
                             default:
@@ -220,6 +220,9 @@ LEFT(`message`, 400) AS `message`,
                     $sql_count .= $sql;
                     $sql = $sql_final . $sql;
 
+                    // Strip extra slashes
+                    $q = stripslashes($q);
+
                     /* Prepare variables used in search and forms */
                     require_once(HESK_PATH . 'inc/prepare_ticket_search.inc.php');
                     ?>
diff --git a/admin/index.php b/admin/index.php
index ba7c4b00..aec1e374 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -158,7 +158,7 @@ function do_login()
         exit();
     }
 
-    $pass_enc = hesk_Pass2Hash($_SESSION['pass'] . strtolower($user) . $_SESSION['pass']);
+    $pass_enc = hesk_Pass2Hash($_SESSION['pass'].hesk_mb_strtolower($user).$_SESSION['pass']);
 
     /* Check if default password */
     if ($_SESSION['pass'] == '499d74967b28a841c98bb4baaabaad699ff3c079') {
@@ -330,7 +330,7 @@ function print_login()
                             <select class="form-control" name="user">
                                 <?php
                                 while ($row = hesk_dbFetchAssoc($res)):
-                                    $sel = (strtolower($savedUser) == strtolower($row['user'])) ? 'selected' : '';
+                                    $sel = (hesk_mb_strtolower($savedUser) == hesk_mb_strtolower($row['user'])) ? 'selected="selected"' : '';
                                     ?>
                                     <option value="<?php echo $row['user']; ?>" <?php echo $sel; ?>>
                                         <?php echo $row['user']; ?>
diff --git a/admin/manage_email_templates.php b/admin/manage_email_templates.php
index 4e690d14..7b10a0e5 100644
--- a/admin/manage_email_templates.php
+++ b/admin/manage_email_templates.php
@@ -328,6 +328,8 @@ function getSpecialTagMap()
     $map['%%OWNER%%'] = $hesklang['ticket_owner'];
     $map['%%PRIORITY%%'] = $hesklang['ticket_priority'];
     $map['%%STATUS%%'] = $hesklang['ticket_status'];
+    $map['%%LAST_REPLY_BY%%'] = $hesklang['last_reply_by'];
+    $map['%%TIME_WORKED%%'] = $hesklang['ts'];
 
     $i = 1;
     foreach ($hesk_settings['custom_fields'] as $key => $value) {
diff --git a/admin/manage_knowledgebase.php b/admin/manage_knowledgebase.php
index 0652220f..b126a326 100644
--- a/admin/manage_knowledgebase.php
+++ b/admin/manage_knowledgebase.php
@@ -900,7 +900,7 @@ function import_article()
 		$_SESSION['new_article'] = array(
 		'html' => 0,
 		'subject' => $ticket['subject'],
-		'content' => hesk_msgToPlain($ticket['message']),
+            'content' => hesk_msgToPlain($ticket['message'], 0, 0),
 		);
     }
 
@@ -915,10 +915,14 @@ function import_article()
         }
         else
         {
-	        $_SESSION['new_article']['content'] .= "\n\n" . hesk_msgToPlain($reply['message']);
+            $_SESSION['new_article']['content'] .= "\n\n" . hesk_msgToPlain($reply['message'], 0, 0);
         }
     }
 
+    // Make sure everything is extra slashed as stripslashes will be called later
+    $_SESSION['new_article']['subject'] = addslashes($_SESSION['new_article']['subject']);
+    $_SESSION['new_article']['content'] = addslashes($_SESSION['new_article']['content']);
+
     hesk_process_messages($hesklang['import'],'NOREDIRECT','NOTICE');
 
 } // END add_article()
diff --git a/admin/move_category.php b/admin/move_category.php
index 35971e02..dcc3126a 100755
--- a/admin/move_category.php
+++ b/admin/move_category.php
@@ -59,7 +59,7 @@ if (!$row['autoassign']) {
 $category_ok = hesk_okCategory($category, 0);
 
 // Is user allowed to move tickets to this category?
-if (!$category_ok && !hesk_checkPermission('can_submit_any_cat', 0)) {
+if ( ! $category_ok && ! hesk_checkPermission('can_change_cat', 0) ) {
     hesk_process_messages($hesklang['noauth_move'],'admin_main.php');
 }
 
@@ -128,13 +128,13 @@ $info = array(
     'trackid' => $ticket['trackid'],
     'status' => $ticket['status'],
     'name' => $ticket['name'],
-    'lastreplier' => $ticket['lastreplier'],
     'subject' => $ticket['subject'],
     'message' => $ticket['message'],
     'attachments' => $ticket['attachments'],
     'dt' => hesk_date($ticket['dt'], true),
     'lastchange' => hesk_date($ticket['lastchange'], true),
-    'id' => $ticket['id'],
+    'id' => $ticket['id'],'time_worked'   => $ticket['time_worked'],
+    'last_reply_by' => hesk_getReplierName($ticket),
 );
 
 // 2. Add custom fields to the array
diff --git a/admin/new_ticket.php b/admin/new_ticket.php
index bc6f8fca..9128c017 100644
--- a/admin/new_ticket.php
+++ b/admin/new_ticket.php
@@ -244,7 +244,7 @@ $show_quick_help = $show['show'];
                             class="important">*</span></label>
 
                     <div class="col-sm-9">
-                        <input type="text" class="form-control" name="name" size="40" maxlength="30"
+                        <input type="text" class="form-control" name="name" size="40" maxlength="50"
                                value="<?php if (isset($_SESSION['as_name'])) {
                                    echo stripslashes(hesk_input($_SESSION['as_name']));
                                } else if (isset($_GET['name'])) {
@@ -700,7 +700,7 @@ $show_quick_help = $show['show'];
                         ?>
                     </label>
                     <div class="col-sm-9">
-                        <span id="HeskSub"><input class="form-control" type="text" name="subject" id="subject" size="40" maxlength="40"
+                        <span id="HeskSub"><input class="form-control" type="text" name="subject" id="subject" size="40" maxlength="70"
                           value="<?php if (isset($_SESSION['as_subject']) || isset($_GET['subject'])) {
                               echo stripslashes(hesk_input($_SESSION['as_subject']));
                           } ?>" placeholder="<?php echo htmlspecialchars($hesklang['subject']); ?>"
diff --git a/admin/profile.php b/admin/profile.php
index d276235e..d083e798 100644
--- a/admin/profile.php
+++ b/admin/profile.php
@@ -166,7 +166,7 @@ function update_profile()
     $hesk_error_buffer = '';
 
     $_SESSION['new']['name'] = hesk_input(hesk_POST('name')) or $hesk_error_buffer .= '<li>' . $hesklang['enter_your_name'] . '</li>';
-    $_SESSION['new']['email'] = hesk_validateEmail(hesk_POST('email'), 'ERR', 0) or $hesk_error_buffer = '<li>' . $hesklang['enter_valid_email'] . '</li>';
+    $_SESSION['new']['email'] = hesk_validateEmail( hesk_POST('email'), 'ERR', 0) or $hesk_error_buffer .= '<li>' . $hesklang['enter_valid_email'] . '</li>';
     $_SESSION['new']['signature'] = hesk_input(hesk_POST('signature'));
 
     /* Signature */
diff --git a/admin/reports.php b/admin/reports.php
index 64d3ba00..e9f341a2 100644
--- a/admin/reports.php
+++ b/admin/reports.php
@@ -249,7 +249,7 @@ require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
                                 (<?php echo $hesklang['m' . date('n')]; ?>)
                             </option>
                             <option value="4" <?php echo $selected['time'][4]; ?>><?php echo $hesklang['r4']; ?>
-                                (<?php echo $hesklang['m' . date('n', mktime(0, 0, 0, date('m') - 1, date('d'), date('Y')))]; ?>
+                                (<?php echo $hesklang['m' . date('n', mktime(0, 0, 0, date('m') - 1, 1, date('Y')))]; ?>
                                 )
                             </option>
                             <option
diff --git a/api/BusinessLogic/Emails/BasicEmailSender.php b/api/BusinessLogic/Emails/BasicEmailSender.php
index 38039792..8ab1c37d 100644
--- a/api/BusinessLogic/Emails/BasicEmailSender.php
+++ b/api/BusinessLogic/Emails/BasicEmailSender.php
@@ -10,6 +10,10 @@ use PHPMailer;
 class BasicEmailSender extends \BaseClass implements EmailSender {
 
     function sendEmail($emailBuilder, $heskSettings, $modsForHeskSettings, $sendAsHtml) {
+        if (preg_match("/\n|\r|\t|%0A|%0D|%08|%09/", $emailBuilder->to . $emailBuilder->subject)) {
+            return false;
+        }
+
         $mailer = new PHPMailer();
 
         if ($heskSettings['smtp']) {
diff --git a/api/BusinessLogic/Emails/EmailTemplateParser.php b/api/BusinessLogic/Emails/EmailTemplateParser.php
index 05796921..287a1915 100644
--- a/api/BusinessLogic/Emails/EmailTemplateParser.php
+++ b/api/BusinessLogic/Emails/EmailTemplateParser.php
@@ -247,6 +247,22 @@ class EmailTemplateParser extends \BaseClass {
         $msg = str_replace('%%CREATED%%', $ticket->dateCreated, $msg);
         $msg = str_replace('%%UPDATED%%', $ticket->lastChanged, $msg);
         $msg = str_replace('%%ID%%', $ticket->id, $msg);
+        $msg = str_replace('%%TIME_WORKED%%', $ticket->timeWorked, $msg);
+
+        $lastReplyBy = '';
+        // Get the last reply by
+        if (!empty($ticket->lastReplier)) {
+            if (!empty($ticket->lastReplier)) {
+                $lastReplyBy = $hesklang['staff'];
+            } else {
+                $lastReplyUser = $this->userGateway->getUserById($ticket->lastReplier, $heskSettings);
+                $lastReplyBy = $lastReplyUser !== null ? $lastReplyUser->name : $hesklang['unas'];
+            }
+        } else {
+            $lastReplyBy = $ticket->name;
+        }
+
+        $msg = str_replace('%%LAST_REPLY_BY%%', $lastReplyBy, $msg);
 
         /* All custom fields */
         for ($i=1; $i<=50; $i++) {
diff --git a/api/Core/database.inc.php b/api/Core/database.inc.php
index 2e41ddbe..54cb294b 100755
--- a/api/Core/database.inc.php
+++ b/api/Core/database.inc.php
@@ -97,7 +97,7 @@ function hesk_dbEscape($in)
 
 function hesk_dbLike($in)
 {
-	return str_replace( array('_', '%'), array('\\\\_', '\\\\%'), $in);
+    return str_replace( array('_', '%', '\\'), array('\\\\_', '\\\\%', '\\\\'), $in); // '
 } // END hesk_dbLike()
 
 
diff --git a/api/Core/database_mysqli.inc.php b/api/Core/database_mysqli.inc.php
index 6c13cebc..9510b003 100755
--- a/api/Core/database_mysqli.inc.php
+++ b/api/Core/database_mysqli.inc.php
@@ -97,7 +97,7 @@ function hesk_dbEscape($in)
 
 function hesk_dbLike($in)
 {
-	return str_replace( array('_', '%'), array('\\\\_', '\\\\%'), $in);
+    return str_replace( array('_', '%', '\\'), array('\\\\_', '\\\\%', '\\\\'), $in); // '
 } // END hesk_dbLike()
 
 
diff --git a/cron/core/database.inc.php b/cron/core/database.inc.php
index 258c4c65..36a4fe47 100755
--- a/cron/core/database.inc.php
+++ b/cron/core/database.inc.php
@@ -98,7 +98,7 @@ function hesk_dbEscape($in)
 
 function hesk_dbLike($in)
 {
-	return str_replace( array('_', '%'), array('\\\\_', '\\\\%'), $in);
+    return str_replace( array('_', '%', '\\'), array('\\\\_', '\\\\%', '\\\\'), $in); // '
 } // END hesk_dbLike()
 
 
diff --git a/cron/core/database_mysqli.inc.php b/cron/core/database_mysqli.inc.php
index 4958f565..aadab0b7 100755
--- a/cron/core/database_mysqli.inc.php
+++ b/cron/core/database_mysqli.inc.php
@@ -97,7 +97,7 @@ function hesk_dbEscape($in)
 
 function hesk_dbLike($in)
 {
-	return str_replace( array('_', '%'), array('\\\\_', '\\\\%'), $in);
+    return str_replace( array('_', '%', '\\'), array('\\\\_', '\\\\%', '\\\\'), $in); // '
 } // END hesk_dbLike()
 
 
diff --git a/inc/admin_functions.inc.php b/inc/admin_functions.inc.php
index cadb5a88..1de4b3a7 100644
--- a/inc/admin_functions.inc.php
+++ b/inc/admin_functions.inc.php
@@ -334,7 +334,7 @@ function hesk_activeSessionValidate($username, $password_hash, $tag)
     list($salt, $hash) = explode('|', $tag, 2);
 
     // Make sure the hash matches existing username and password
-    if ($hash == sha1($salt . strtolower($username) . $password_hash)) {
+    if ($hash == sha1($salt . hesk_mb_strtolower($username) . $password_hash) ) {
         return true;
     }
 
@@ -345,7 +345,7 @@ function hesk_activeSessionValidate($username, $password_hash, $tag)
 function hesk_activeSessionCreateTag($username, $password_hash)
 {
     $salt = uniqid(mt_rand(), true);
-    return $salt . '|' . sha1($salt . strtolower($username) . $password_hash);
+    return $salt . '|' . sha1($salt . hesk_mb_strtolower($username) . $password_hash);
 } // END hesk_activeSessionCreateTag()
 
 
@@ -383,7 +383,7 @@ function hesk_autoLogin($noredirect = 0)
     $res = hesk_dbFetchAssoc($result);
 
     /* Check password */
-    if ($hash != hesk_Pass2Hash($res['pass'] . strtolower($user) . $res['pass'])) {
+    if ($hash != hesk_Pass2Hash($res['pass'] . hesk_mb_strtolower($user) . $res['pass']) ) {
         hesk_setcookie('hesk_username', '');
         hesk_setcookie('hesk_p', '');
         header('Location: '.$url);
diff --git a/inc/common.inc.php b/inc/common.inc.php
index 29f35fc0..92fe0aa4 100644
--- a/inc/common.inc.php
+++ b/inc/common.inc.php
@@ -357,6 +357,10 @@ function hesk_isREQUEST($in)
     return isset($_GET[$in]) || isset($_POST[$in]) ? true : false;
 } // END hesk_isREQUEST()
 
+function hesk_mb_strtolower($in) {
+    return function_exists('mb_strtolower') ? mb_strtolower($in) : strtolower($in);
+} // END hesk_mb_strtolower()
+
 
 function hesk_htmlspecialchars_decode($in)
 {
@@ -835,7 +839,39 @@ function hesk_getCategoryName($id)
     $hesk_settings['category_data'][$id]['name'] = hesk_dbResult($res, 0, 0);
 
     return $hesk_settings['category_data'][$id]['name'];
-} // END hesk_getOwnerName()
+} // END hesk_getCategoryName()
+
+function hesk_getReplierName($ticket) {
+    global $hesk_settings, $hesklang;
+
+    // Already have this info?
+    if (isset($ticket['last_reply_by'])) {
+        return $ticket['last_reply_by'];
+    }
+
+    // Last reply by staff
+    if ( ! empty($ticket['lastreplier'])) {
+        // We don't know who from staff so just send "Staff"
+        if (empty($ticket['replierid'])) {
+            return $hesklang['staff'];
+        }
+
+        // Get the name using another function
+        $replier = hesk_getOwnerName($ticket['replierid']);
+
+        // If replier comes back as "unassigned", default to "Staff"
+        if ($replier == $hesklang['unas']) {
+            return $hesklang['staff'];
+        }
+
+        return $replier;
+    }
+
+    // Last reply by customer
+    return $ticket['name'];
+
+} // END hesk_getReplierName()
+
 
 
 function hesk_getOwnerName($id)
diff --git a/inc/email_functions.inc.php b/inc/email_functions.inc.php
index 13db7b8c..5483d121 100644
--- a/inc/email_functions.inc.php
+++ b/inc/email_functions.inc.php
@@ -418,15 +418,21 @@ function hesk_mail($to, $subject, $message, $htmlMessage, $modsForHesk_settings,
         return true;
     }
 
+    // Stop if we find anything suspicious in the headers
+    if ( preg_match("/\n|\r|\t|%0A|%0D|%08|%09/", $to . $subject) ) {
+        return false;
+    }
+
+
     // Encode subject to UTF-8
-    $subject = "=?UTF-8?B?" . base64_encode(hesk_html_entity_decode($subject)) . "?=";
+    $subject = hesk_encodeIfNotAscii( hesk_html_entity_decode($subject) );
 
     // Auto-generate URLs for HTML-formatted emails
     $htmlMessage = hesk_makeURL($htmlMessage, '', false);
 
     // Setup "name <email>" for headers
     if ($hesk_settings['noreply_name']) {
-        $hesk_settings['from_header'] = "=?UTF-8?B?" . base64_encode(hesk_html_entity_decode($hesk_settings['noreply_name'])) . "?= <" . $hesk_settings['noreply_mail'] . ">";
+        $hesk_settings['from_header'] = hesk_encodeIfNotAscii( hesk_html_entity_decode($hesk_settings['noreply_name']) ) . " <" . $hesk_settings['noreply_mail'] . ">";
     } else {
         $hesk_settings['from_header'] = $hesk_settings['noreply_mail'];
     }
@@ -505,6 +511,10 @@ function hesk_mail($to, $subject, $message, $htmlMessage, $modsForHesk_settings,
     //-- Close the email
     $message .= "--" . $innerboundary . "--";
 
+    // Remove duplicate recipients
+    $to_arr = array_unique(explode(',', $to));
+    $to = implode(',', $to_arr);
+
     // Use PHP's mail function
     if (!$hesk_settings['smtp']) {
         // Set additional headers
@@ -552,8 +562,6 @@ function hesk_mail($to, $subject, $message, $htmlMessage, $modsForHesk_settings,
     ob_start();
 
     // Send the e-mail using SMTP
-    $to_arr = explode(',', $to);
-
     $headersArray = array(
         "From: $hesk_settings[from_header]",
         "To: $to",
@@ -728,6 +736,16 @@ function hesk_getEmailMessage($eml_file, $ticket, $modsForHesk_settings, $is_adm
 
 } // END hesk_getEmailMessage
 
+function hesk_encodeIfNotAscii($str) {
+    // Match anything outside of ASCII range
+    if (preg_match('/[^\x00-\x7F]/', $str)) {
+        return "=?UTF-8?B?" . base64_encode($str) . "?=";
+    }
+
+    return $str;
+} // END hesk_encodeIfNotAscii()
+
+
 function hesk_doesTemplateHaveTag($eml_file, $tag, $modsForHesk_settings)
 {
     global $hesk_settings;
@@ -795,7 +813,7 @@ function hesk_processMessage($msg, $ticket, $is_admin, $is_ticket, $just_message
     $trackingURL .= '?track=' . $ticket['trackid'] . ($is_admin ? '' : $hesk_settings['e_param']) . '&Refresh=' . rand(10000, 99999);
 
     /* Set category title */
-    $ticket['category'] = hesk_msgToPlain(hesk_getCategoryName($ticket['category']), 1);
+    $ticket['category'] = hesk_msgToPlain(hesk_getCategoryName($ticket['category']), 1, 0);
 
     /* Set priority title */
     switch ($ticket['priority']) {
@@ -821,6 +839,12 @@ function hesk_processMessage($msg, $ticket, $is_admin, $is_ticket, $just_message
     $row = hesk_dbFetchAssoc($statusRs);
     $ticket['status'] = $row['text'];
 
+    // Get name of the person who posted the last message
+    if ( ! isset($ticket['last_reply_by'])) {
+        $ticket['last_reply_by'] = hesk_getReplierName($ticket);
+    }
+
+
     /* Replace all special tags */
     $msg = str_replace('%%NAME%%', $ticket['name'], $msg);
     $msg = str_replace('%%SUBJECT%%', $ticket['subject'], $msg);
@@ -836,6 +860,8 @@ function hesk_processMessage($msg, $ticket, $is_admin, $is_ticket, $just_message
     $msg = str_replace('%%CREATED%%', $ticket['dt'], $msg);
     $msg = str_replace('%%UPDATED%%', $ticket['lastchange'], $msg);
     $msg = str_replace('%%ID%%', $ticket['id'], $msg);
+    $msg = str_replace('%%TIME_WORKED%%',  $ticket['time_worked']   ,$msg);
+    $msg = str_replace('%%LAST_REPLY_BY%%',$ticket['last_reply_by'] ,$msg);
 
     /* All custom fields */
     for ($i=1; $i<=50; $i++) {
diff --git a/inc/pipe_functions.inc.php b/inc/pipe_functions.inc.php
index 7a98f02d..1a56eca6 100755
--- a/inc/pipe_functions.inc.php
+++ b/inc/pipe_functions.inc.php
@@ -347,7 +347,7 @@ function hesk_encodeUTF8($in, $encoding)
             return utf8_encode($in);
             break;
         default:
-            return iconv($encoding, 'UTF-8', $in);
+            return function_exists('iconv') ? iconv($encoding, 'UTF-8', $in) : utf8_encode($in);
             break;
     }
 } // END hesk_encodeUTF8()
diff --git a/inc/posting_functions.inc.php b/inc/posting_functions.inc.php
index 7e81bfbf..9ab98909 100644
--- a/inc/posting_functions.inc.php
+++ b/inc/posting_functions.inc.php
@@ -129,7 +129,7 @@ function hesk_newTicket($ticket, $isVerified = true)
         'trackid' => $ticket['trackid'],
         'status' => $ticket['status'],
         'name' => $ticket['name'],
-        'lastreplier' => $ticket['name'],
+        'last_reply_by' => $ticket['name'],
         'subject' => $ticket['subject'],
         'message' => $ticket['message'],
         'attachments' => $ticket['attachments'],
@@ -138,7 +138,8 @@ function hesk_newTicket($ticket, $isVerified = true)
         'id' => hesk_dbInsertID(),
         'language' => $language,
         'html' => $ticket['html'],
-        'due_date' => $ticket['due_date']
+        'due_date' => $ticket['due_date'],
+        'time_worked' => '00:00:00',
     );
 
     // Add custom fields to the array
diff --git a/index.php b/index.php
index 72c28dea..e9082980 100644
--- a/index.php
+++ b/index.php
@@ -340,7 +340,7 @@ function print_add_ticket()
                             class="important">*</span></label>
 
                     <div class="col-sm-9">
-                        <input type="text" class="form-control" id="name" name="name" size="40" maxlength="30"
+                        <input type="text" class="form-control" id="name" name="name" size="40" maxlength="50"
                                value="<?php if (isset($_SESSION['c_name'])) {
                                    echo stripslashes(hesk_input($_SESSION['c_name']));
                                } ?>" <?php if (in_array('name', $_SESSION['iserror'])) {
@@ -711,7 +711,7 @@ function print_add_ticket()
 
                             <div class="col-sm-9">
                                 <input type="text" id="subject" class="form-control" name="subject" size="40"
-                                       maxlength="40"
+                                       maxlength="70"
                                        value="<?php if (isset($_SESSION['c_subject'])) {
                                            echo stripslashes(hesk_input($_SESSION['c_subject']));
                                        } ?>" <?php if (in_array('subject', $_SESSION['iserror'])) {
diff --git a/install/install_functions.inc.php b/install/install_functions.inc.php
index 08926049..e94f1e85 100644
--- a/install/install_functions.inc.php
+++ b/install/install_functions.inc.php
@@ -15,7 +15,7 @@
 if (!defined('IN_SCRIPT')) {die('Invalid attempt');}
 
 // We will be installing this HESK version:
-define('HESK_NEW_VERSION','2.7.3');
+define('HESK_NEW_VERSION','2.7.4');
 define('MODS_FOR_HESK_NEW_VERSION','3.2.2');
 define('REQUIRE_PHP_VERSION','5.3.0');
 define('REQUIRE_MYSQL_VERSION','5.0.7');
diff --git a/internal-api/core/database.inc.php b/internal-api/core/database.inc.php
index 47c0eb59..224de93d 100755
--- a/internal-api/core/database.inc.php
+++ b/internal-api/core/database.inc.php
@@ -97,7 +97,7 @@ function hesk_dbEscape($in)
 
 function hesk_dbLike($in)
 {
-	return str_replace( array('_', '%'), array('\\\\_', '\\\\%'), $in);
+    return str_replace( array('_', '%', '\\'), array('\\\\_', '\\\\%', '\\\\'), $in); // '
 } // END hesk_dbLike()
 
 
diff --git a/internal-api/core/database_mysqli.inc.php b/internal-api/core/database_mysqli.inc.php
index befdded2..120a4c0e 100755
--- a/internal-api/core/database_mysqli.inc.php
+++ b/internal-api/core/database_mysqli.inc.php
@@ -97,7 +97,7 @@ function hesk_dbEscape($in)
 
 function hesk_dbLike($in)
 {
-	return str_replace( array('_', '%'), array('\\\\_', '\\\\%'), $in);
+    return str_replace( array('_', '%', '\\'), array('\\\\_', '\\\\%', '\\\\'), $in); // '
 } // END hesk_dbLike()
 
 
diff --git a/knowledgebase.php b/knowledgebase.php
index 20bacd3f..fdb2a3a4 100644
--- a/knowledgebase.php
+++ b/knowledgebase.php
@@ -286,8 +286,8 @@ if (!$show['show']) {
             if ($hesk_settings['kb_rating'] && strpos(hesk_COOKIE('hesk_kb_rate'), 'a' . $artid . '%') === false) {
                 echo '
 	    <div id="rating" class="rate" align="right">&nbsp;<br />' . $hesklang['rart'] . '
-			<a href="Javascript:void(0)" onclick="Javascript:window.location=\'knowledgebase.php?rating=5&amp;id=' . $article['id'] . '\'" rel="nofollow">' . strtolower($hesklang['yes']) . '</a> /
-	        <a href="Javascript:void(0)" onclick="Javascript:window.location=\'knowledgebase.php?rating=1&amp;id=' . $article['id'] . '\'" rel="nofollow">' . strtolower($hesklang['no']) . '</a>
+			<a href="Javascript:void(0)" onclick="Javascript:window.location=\'knowledgebase.php?rating=5&amp;id=' . $article['id'] . '\'" rel="nofollow">' . hesk_mb_strtolower($hesklang['yes']) . '</a> /
+	        <a href="Javascript:void(0)" onclick="Javascript:window.location=\'knowledgebase.php?rating=1&amp;id=' . $article['id'] . '\'" rel="nofollow">' . hesk_mb_strtolower($hesklang['no']) . '</a>
 	    </div>
         ';
             }
diff --git a/language/en/emails/html/new_reply_by_customer.txt b/language/en/emails/html/new_reply_by_customer.txt
index f0eb563d..79cc0a86 100644
--- a/language/en/emails/html/new_reply_by_customer.txt
+++ b/language/en/emails/html/new_reply_by_customer.txt
@@ -1,6 +1,6 @@
 <p>Hello,</p>
 <p>A customer has just replied to ticket "%%SUBJECT%%".</p>
-<p>You can manage this ticket here:
+<p>You can read the reply message and manage this ticket here:
 %%TRACK_URL%%</p>
 <p>Regards,</p>
 %%SITE_TITLE%% <br>
diff --git a/language/en/emails/html/new_reply_by_staff.txt b/language/en/emails/html/new_reply_by_staff.txt
index 1287b2b8..fcf1093a 100644
--- a/language/en/emails/html/new_reply_by_staff.txt
+++ b/language/en/emails/html/new_reply_by_staff.txt
@@ -1,8 +1,9 @@
 <p>Dear %%NAME%%,</p>
-<p>Our staff has just replied to your ticket "%%SUBJECT%%".</p>
-<p>You can view the ticket here:</p>
+<p>We have just replied to your ticket "%%SUBJECT%%".</p>
+<p>To read the message, submit a reply and view details, please visit:</p>
 %%TRACK_URL%%
 <br><br>
+<p>If the above link is not clickable, try copying and pasting it into the address bar of your web browser.</p>
 <p>Sincerely,</p>
 %%SITE_TITLE%%
 <br>
diff --git a/language/en/emails/html/ticket_closed.txt b/language/en/emails/html/ticket_closed.txt
index f547ba76..10220a1a 100644
--- a/language/en/emails/html/ticket_closed.txt
+++ b/language/en/emails/html/ticket_closed.txt
@@ -1,8 +1,8 @@
 <p>Dear %%NAME%%,</p>
 <p>Your support ticket "%%SUBJECT%%" has been updated to a closed/resolved status.</p>
-<p>Ticket tracking ID: %%TRACK_ID%%</p>
 <p>You can view the status of your ticket here:
 %%TRACK_URL%%</p>
+<p>If the above link is not clickable, try copying and pasting it into the address bar of your web browser.</p>
 <p>Sincerely,</p>
 %%SITE_TITLE%% <br>
 %%SITE_URL%%
\ No newline at end of file
diff --git a/language/en/emails/ticket_closed.txt b/language/en/emails/ticket_closed.txt
index 51cfb97c..33a94afd 100644
--- a/language/en/emails/ticket_closed.txt
+++ b/language/en/emails/ticket_closed.txt
@@ -2,11 +2,10 @@ Dear %%NAME%%,
 
 Your support ticket "%%SUBJECT%%" has been updated to a closed/resolved status.
 
-Ticket tracking ID: %%TRACK_ID%%
-
 You can view the status of your ticket here:
 %%TRACK_URL%%
 
+If the above link is not clickable, try copying and pasting it into the address bar of your web browser.
 
 Sincerely,
 
diff --git a/language/en/text.php b/language/en/text.php
index d543ccd3..042a2130 100644
--- a/language/en/text.php
+++ b/language/en/text.php
@@ -1239,7 +1239,7 @@ $hesklang['cat_pri_ch']='Category priority has been set to:';
 $hesklang['err_dbversion']='Too old MySQL version:'; // %s will be replaced with MySQL version
 $hesklang['signature_max']='Signature (max 1000 chars)';
 $hesklang['signature_long']='User signature is too long! Please limit the signature to 1000 chars';
-$hesklang['ip_whois']='IP whois';
+$hesklang['ip_whois']='IP WHOIS';
 $hesklang['ednote']='Edit note message';
 $hesklang['ednote2']='Note message saved';
 $hesklang['perm_deny']='Permission denied';
@@ -1284,7 +1284,6 @@ $hesklang['click_unban']='Click here to unban.';
 $hesklang['banip_intro']='Visitors from banned IP addresses will not be able to view or submit tickets and login into the help desk.';
 $hesklang['ipperm']='Permanent IP bans:';
 $hesklang['iptemp']='Login failure bans:';
-$hesklang['savebanip']='Ban this IP';
 $hesklang['no_banips']='<i>No IPs are being banned.</i>';
 $hesklang['bananip']='IP address to ban';
 $hesklang['banex']='Examples:';
diff --git a/reply_ticket.php b/reply_ticket.php
index 499f3d1f..0760ac06 100644
--- a/reply_ticket.php
+++ b/reply_ticket.php
@@ -206,13 +206,14 @@ $info = array(
     'trackid' => $ticket['trackid'],
     'status' => $ticket['status'],
     'name' => $ticket['name'],
-    'lastreplier' => $ticket['name'],
     'subject' => $ticket['subject'],
     'message' => stripslashes($message),
     'attachments' => $myattachments,
     'dt' => hesk_date($ticket['dt'], true),
     'lastchange' => hesk_date($ticket['lastchange'], true),
     'id' => $ticket['id'],
+    'time_worked'   => $ticket['time_worked'],
+    'last_reply_by' => $ticket['name'],
 );
 
 // 2. Add custom fields to the array
diff --git a/submit_ticket.php b/submit_ticket.php
index 06090ef6..d11f5225 100644
--- a/submit_ticket.php
+++ b/submit_ticket.php
@@ -73,7 +73,7 @@ if ($hesk_settings['question_use']) {
 
     if (strlen($question) == 0) {
         $hesk_error_buffer['question'] = $hesklang['q_miss'];
-    } elseif (strtolower($question) != strtolower($hesk_settings['question_ans'])) {
+    } elseif (hesk_mb_strtolower($question) != hesk_mb_strtolower($hesk_settings['question_ans'])) {
         $hesk_error_buffer['question'] = $hesklang['q_wrng'];
     } else {
         $_SESSION['c_question'] = $question;
diff --git a/ticket.php b/ticket.php
index 2d7197b4..cb7ef11b 100644
--- a/ticket.php
+++ b/ticket.php
@@ -722,8 +722,8 @@ function hesk_printCustomerTicketReplies()
                             echo '
 					            <div id="rating' . $reply['id'] . '" class="rate">
 					            ' . $hesklang['r'] . '
-					            <a href="Javascript:void(0)" onclick="Javascript:hesk_rate(\'rate.php?rating=5&amp;id=' . $reply['id'] . '&amp;track=' . $trackingID . '\',\'rating' . $reply['id'] . '\')">' . strtolower($hesklang['yes']) . '</a> /
-					            <a href="Javascript:void(0)" onclick="Javascript:hesk_rate(\'rate.php?rating=1&amp;id=' . $reply['id'] . '&amp;track=' . $trackingID . '\',\'rating' . $reply['id'] . '\')">' . strtolower($hesklang['no']) . '</a>
+					            <a href="Javascript:void(0)" onclick="Javascript:hesk_rate(\'rate.php?rating=5&amp;id=' . $reply['id'] . '&amp;track=' . $trackingID . '\',\'rating' . $reply['id'] . '\')">' . hesk_mb_strtolower($hesklang['yes']) . '</a> /
+					            <a href="Javascript:void(0)" onclick="Javascript:hesk_rate(\'rate.php?rating=1&amp;id=' . $reply['id'] . '&amp;track=' . $trackingID . '\',\'rating' . $reply['id'] . '\')">' . hesk_mb_strtolower($hesklang['no']) . '</a>
 					            </div>
 					            ';
                         }