AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert for now added HTML Purify to client tickets as well

This commit is contained in:
johnnyq 2023-05-08 14:38:42 -04:00
parent eb9a8000b1
commit 018f52eb67
4 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
client_tickets.php
View File

@ -6,6 +6,12 @@ $o = "DESC";
require_once("inc_all_client.php");
//Initialize the HTML Purifier to prevent XSS
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
//Rebuild URL
$url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, 'o' => $o)));
@ -82,8 +88,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
$ticket_prefix = htmlentities($row['ticket_prefix']);
$ticket_number = htmlentities($row['ticket_number']);
$ticket_subject = htmlentities($row['ticket_subject']);
$ticket_details = htmlentities($row['ticket_details']);
$ticket_details_edit = $row['ticket_details']; // HTML Entities is used in the edit modal this is because tickets and ticket details share the edit modal and to prevent double html encoding causing output yuck
$ticket_details = $purifier->purify($row['ticket_details']);
$ticket_priority = htmlentities($row['ticket_priority']);
$ticket_status = htmlentities($row['ticket_status']);
$ticket_created_at = htmlentities($row['ticket_created_at']);

3
ticket.php
View File

@ -44,8 +44,7 @@ if (isset($_GET['ticket_id'])) {
$ticket_number = intval($row['ticket_number']);
$ticket_category = htmlentities($row['ticket_category']);
$ticket_subject = htmlentities($row['ticket_subject']);
$ticket_details = $purifier->purify($row['ticket_details']); // We use Purify so HTML can be rendered securely on this page
$ticket_details_edit = $row['ticket_details']; // HTML Entities is used in the edit modal this is because tickets and ticket details share the edit modal and to prevent double html encoding causing output yuck
$ticket_details = $purifier->purify($row['ticket_details']);
$ticket_priority = htmlentities($row['ticket_priority']);
//Set Ticket Bage Color based of priority
if ($ticket_priority == "High") {

2
ticket_edit_modal.php
View File

@ -45,7 +45,7 @@
</div>
<div class="form-group">
<textarea class="form-control summernote" rows="8" name="details" required><?php echo htmlentities($ticket_details_edit); ?></textarea>
<textarea class="form-control summernote" rows="8" name="details" required><?php echo htmlentities($ticket_details); ?></textarea>
</div>
<div class="form-group">

9
tickets.php
View File

@ -6,6 +6,12 @@ $o = "DESC";
require_once("inc_all.php");
//Initialize the HTML Purifier to prevent XSS
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
$purifier = new HTMLPurifier($purifier_config);
// Ticket status from GET
if (!isset($_GET['status'])) {
// If nothing is set, assume we only want to see open tickets
@ -261,8 +267,7 @@ $user_active_assigned_tickets = intval($row['total_tickets_assigned']);
$ticket_prefix = htmlentities($row['ticket_prefix']);
$ticket_number = intval($row['ticket_number']);
$ticket_subject = htmlentities($row['ticket_subject']);
$ticket_details = htmlentities($row['ticket_details']);
$ticket_details_edit = $row['ticket_details']; // HTML Entities is used in the edit modal this is because tickets and ticket details share the edit modal and to prevent double html encoding causing output yuck
$ticket_details = $purifier->purify($row['ticket_details']);
$ticket_priority = htmlentities($row['ticket_priority']);
$ticket_status = htmlentities($row['ticket_status']);
$ticket_created_at = htmlentities($row['ticket_created_at']);