From b7c7cd8639231bf2f0fdfe51a4b7c7f7a052a148 Mon Sep 17 00:00:00 2001
From: Mike Koch <mkoch227@gmail.com>
Date: Sun, 2 Aug 2015 16:14:17 -0400
Subject: [PATCH] #202 Use htmLawed to help prevent against XSS attacks

---
 inc/pipe_functions.inc.php    | 1 +
 inc/posting_functions.inc.php | 4 +++-
 modsForHesk_settings.inc.php  | 2 +-
 submit_ticket.php             | 3 ++-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/inc/pipe_functions.inc.php b/inc/pipe_functions.inc.php
index 40a4de37..c615bbb6 100755
--- a/inc/pipe_functions.inc.php
+++ b/inc/pipe_functions.inc.php
@@ -39,6 +39,7 @@ if (!defined('IN_SCRIPT')) {die('Invalid attempt');}
 hesk_load_database_functions();
 require(HESK_PATH . 'inc/email_functions.inc.php');
 require(HESK_PATH . 'inc/posting_functions.inc.php');
+require(HESK_PATH . 'inc/htmLawed.php');
 require(HESK_PATH . 'inc/mail/rfc822_addresses.php');
 require(HESK_PATH . 'inc/mail/mime_parser.php');
 require(HESK_PATH . 'inc/mail/email_parser.php');
diff --git a/inc/posting_functions.inc.php b/inc/posting_functions.inc.php
index a2e7c8e3..92ae6da5 100644
--- a/inc/posting_functions.inc.php
+++ b/inc/posting_functions.inc.php
@@ -33,7 +33,7 @@
 *******************************************************************************/
 
 /* Check if this is a valid include */
-if (!defined('IN_SCRIPT')) {die('Invalid attempt');} 
+if (!defined('IN_SCRIPT')) {die('Invalid attempt');}
 
 /*** FUNCTIONS ***/
 
@@ -54,6 +54,8 @@ function hesk_newTicket($ticket, $isVerified = true)
     $ticket['status'] = $defaultNewTicket['ID'];
     $tableName = $isVerified ? 'tickets' : 'stage_tickets';
 
+	$ticket['message'] = htmLawed($ticket['message'], array('safe' => 1, 'deny_attribute'=>'style'));
+
 	// Insert ticket into database
 	hesk_dbQuery("
 	INSERT INTO `".hesk_dbEscape($hesk_settings['db_pfix']).$tableName."`
diff --git a/modsForHesk_settings.inc.php b/modsForHesk_settings.inc.php
index e374e240..a1dfcd09 100644
--- a/modsForHesk_settings.inc.php
+++ b/modsForHesk_settings.inc.php
@@ -52,4 +52,4 @@ $modsForHesk_settings['request_location'] = 0;
 $modsForHesk_settings['category_order_column'] = 'cat_order';
 
 //-- Setting for using rich-text editor for tickets. 0 = Disable, 1 = Enable
-$modsForHesk_settings['rich_text_for_tickets'] = 0;
\ No newline at end of file
+$modsForHesk_settings['rich_text_for_tickets'] = 1;
\ No newline at end of file
diff --git a/submit_ticket.php b/submit_ticket.php
index b508336b..004cd186 100644
--- a/submit_ticket.php
+++ b/submit_ticket.php
@@ -56,6 +56,7 @@ hesk_check_kb_only();
 hesk_load_database_functions();
 require(HESK_PATH . 'inc/email_functions.inc.php');
 require(HESK_PATH . 'inc/posting_functions.inc.php');
+require(HESK_PATH . 'inc/htmLawed.php');
 
 // We only allow POST requests to this file
 if ( $_SERVER['REQUEST_METHOD'] != 'POST' )
@@ -256,7 +257,7 @@ else
 }
 
 $tmpvar['subject']  = hesk_input( hesk_POST('subject') ) or $hesk_error_buffer['subject']=$hesklang['enter_ticket_subject'];
-$tmpvar['message']  = hesk_input( hesk_POST('message') ) or $hesk_error_buffer['message']=$hesklang['enter_message'];
+$tmpvar['message']  = hesk_input(hesk_POST('message')) or $hesk_error_buffer['message']=$hesklang['enter_message'];;
 
 // Is category a valid choice?
 if ($tmpvar['category'])