From 8c3324ead691b636eacbf77af5b39e90a49cffcc Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sat, 29 Aug 2015 22:26:44 -0400 Subject: [PATCH 1/2] #334 Fix escaping on ticket templates page --- admin/manage_ticket_templates.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/admin/manage_ticket_templates.php b/admin/manage_ticket_templates.php index 8ff7d655..caa31ae0 100644 --- a/admin/manage_ticket_templates.php +++ b/admin/manage_ticket_templates.php @@ -133,7 +133,9 @@ $num = hesk_dbNumRows($result); $options .= '>'.$mysaved['title'].''; if ($modsForHesk_settings['rich_text_for_tickets']) { - $javascript_messages.='myMsgTxt['.$mysaved['id'].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", html_entity_decode($mysaved['message'] ))."';\n"; + $theMessage = html_entity_decode($mysaved['message']); + $theMessage = addslashes($theMessage); + $javascript_messages.='myMsgTxt['.$mysaved['id'].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", $theMessage)."';\n"; } else { $javascript_messages.='myMsgTxt['.$mysaved['id'].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", addslashes($mysaved['message']) )."';\n"; } From 63f0199f9ea1450290fd2106ef1ab18599a2e2bb Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Sun, 30 Aug 2015 12:03:43 -0400 Subject: [PATCH 2/2] #334 Properly escape quotes in canned responses/ticket templates --- admin/admin_ticket.php | 4 +++- admin/manage_canned.php | 4 +++- admin/new_ticket.php | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/admin/admin_ticket.php b/admin/admin_ticket.php index 35aca09b..6023d5a0 100644 --- a/admin/admin_ticket.php +++ b/admin/admin_ticket.php @@ -1973,7 +1973,9 @@ function hesk_printCanned() { $can_options .= '\n"; if ($modsForHesk_settings['rich_text_for_tickets']) { - echo 'myMsgTxt['.$mysaved[0].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", hesk_html_entity_decode($mysaved[2]))."';\n"; + $theMessage = hesk_html_entity_decode($mysaved[2]); + $theMessage = addslashes($theMessage); + echo 'myMsgTxt['.$mysaved[0].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", $theMessage)."';\n"; } else { echo 'myMsgTxt['.$mysaved[0].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", addslashes($mysaved[2]))."';\n"; } diff --git a/admin/manage_canned.php b/admin/manage_canned.php index 19c38d66..b851c67a 100644 --- a/admin/manage_canned.php +++ b/admin/manage_canned.php @@ -161,7 +161,9 @@ function hesk_insertAtCursor(myField, myValue) { $javascript_titles.='myTitle['.$mysaved['id'].']=\''.addslashes($mysaved['title'])."';\n"; if ($modsForHesk_settings['rich_text_for_tickets']) { - $javascript_messages.='myMsgTxt['.$mysaved['id'].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", hesk_html_entity_decode($mysaved['message']) )."';\n"; + $theMessage = hesk_html_entity_decode($mysaved['message']); + $theMessage = addslashes($theMessage); + $javascript_messages.='myMsgTxt['.$mysaved['id'].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", $theMessage )."';\n"; } else { $javascript_messages.='myMsgTxt['.$mysaved['id'].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", addslashes($mysaved['message']) )."';\n"; } diff --git a/admin/new_ticket.php b/admin/new_ticket.php index 6b266304..b50c7b41 100644 --- a/admin/new_ticket.php +++ b/admin/new_ticket.php @@ -572,7 +572,9 @@ if (!$show['show']) { { $can_options .= '\n"; if ($modsForHesk_settings['rich_text_for_tickets']) { - echo 'myMsgTxt['.$mysaved[0].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", hesk_html_entity_decode($mysaved[2]))."';\n"; + $theMessage = hesk_html_entity_decode($mysaved[2]); + $theMessage = addslashes($theMessage); + echo 'myMsgTxt['.$mysaved[0].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", $theMessage)."';\n"; } else { echo 'myMsgTxt['.$mysaved[0].']=\''.str_replace("\r\n","\\r\\n' + \r\n'", addslashes($mysaved[2]))."';\n"; }