#202 Use htmLawed to help prevent against XSS attacks

9 years ago · b7c7cd8639
parent 497a7550f4
commit b7c7cd8639
4 changed files with 7 additions and 3 deletions
--- a/inc/pipe_functions.inc.php
+++ b/inc/pipe_functions.inc.php
@ -39,6 +39,7 @@ if (!defined('IN_SCRIPT')) {die('Invalid attempt');}
 hesk_load_database_functions();
 require(HESK_PATH . 'inc/email_functions.inc.php');
 require(HESK_PATH . 'inc/posting_functions.inc.php');
+require(HESK_PATH . 'inc/htmLawed.php');
 require(HESK_PATH . 'inc/mail/rfc822_addresses.php');
 require(HESK_PATH . 'inc/mail/mime_parser.php');
 require(HESK_PATH . 'inc/mail/email_parser.php');
--- a/inc/posting_functions.inc.php
+++ b/inc/posting_functions.inc.php
@ -33,7 +33,7 @@
 *******************************************************************************/

 /* Check if this is a valid include */
-if (!defined('IN_SCRIPT')) {die('Invalid attempt');} 
+if (!defined('IN_SCRIPT')) {die('Invalid attempt');}

 /*** FUNCTIONS ***/

@ -54,6 +54,8 @@ function hesk_newTicket($ticket, $isVerified = true)
    $ticket['status'] = $defaultNewTicket['ID'];
    $tableName = $isVerified ? 'tickets' : 'stage_tickets';

+	$ticket['message'] = htmLawed($ticket['message'], array('safe' => 1, 'deny_attribute'=>'style'));
+
 	// Insert ticket into database
 	hesk_dbQuery("
 	INSERT INTO `".hesk_dbEscape($hesk_settings['db_pfix']).$tableName."`
--- a/modsForHesk_settings.inc.php
+++ b/modsForHesk_settings.inc.php
@ -52,4 +52,4 @@ $modsForHesk_settings['request_location'] = 0;
 $modsForHesk_settings['category_order_column'] = 'cat_order';

 //-- Setting for using rich-text editor for tickets. 0 = Disable, 1 = Enable
-$modsForHesk_settings['rich_text_for_tickets'] = 0;
+$modsForHesk_settings['rich_text_for_tickets'] = 1;
--- a/submit_ticket.php
+++ b/submit_ticket.php
@ -56,6 +56,7 @@ hesk_check_kb_only();
 hesk_load_database_functions();
 require(HESK_PATH . 'inc/email_functions.inc.php');
 require(HESK_PATH . 'inc/posting_functions.inc.php');
+require(HESK_PATH . 'inc/htmLawed.php');

 // We only allow POST requests to this file
 if ( $_SERVER['REQUEST_METHOD'] != 'POST' )
@ -256,7 +257,7 @@ else
 }

 $tmpvar['subject']  = hesk_input( hesk_POST('subject') ) or $hesk_error_buffer['subject']=$hesklang['enter_ticket_subject'];
-$tmpvar['message']  = hesk_input( hesk_POST('message') ) or $hesk_error_buffer['message']=$hesklang['enter_message'];
+$tmpvar['message']  = hesk_input(hesk_POST('message')) or $hesk_error_buffer['message']=$hesklang['enter_message'];;

 // Is category a valid choice?
 if ($tmpvar['category'])