diff --git a/client_tickets.php b/client_tickets.php
index ee43dce1..ff7c4cb0 100644
--- a/client_tickets.php
+++ b/client_tickets.php
@@ -6,6 +6,12 @@ $o = "DESC";
require_once("inc_all_client.php");
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
//Rebuild URL
$url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, 'o' => $o)));
@@ -82,8 +88,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
$ticket_prefix = htmlentities($row['ticket_prefix']);
$ticket_number = htmlentities($row['ticket_number']);
$ticket_subject = htmlentities($row['ticket_subject']);
- $ticket_details = htmlentities($row['ticket_details']);
- $ticket_details_edit = $row['ticket_details']; // HTML Entities is used in the edit modal this is because tickets and ticket details share the edit modal and to prevent double html encoding causing output yuck
+ $ticket_details = $purifier->purify($row['ticket_details']);
$ticket_priority = htmlentities($row['ticket_priority']);
$ticket_status = htmlentities($row['ticket_status']);
$ticket_created_at = htmlentities($row['ticket_created_at']);
diff --git a/ticket.php b/ticket.php
index 842a30bc..456c8614 100644
--- a/ticket.php
+++ b/ticket.php
@@ -44,8 +44,7 @@ if (isset($_GET['ticket_id'])) {
$ticket_number = intval($row['ticket_number']);
$ticket_category = htmlentities($row['ticket_category']);
$ticket_subject = htmlentities($row['ticket_subject']);
- $ticket_details = $purifier->purify($row['ticket_details']); // We use Purify so HTML can be rendered securely on this page
- $ticket_details_edit = $row['ticket_details']; // HTML Entities is used in the edit modal this is because tickets and ticket details share the edit modal and to prevent double html encoding causing output yuck
+ $ticket_details = $purifier->purify($row['ticket_details']);
$ticket_priority = htmlentities($row['ticket_priority']);
//Set Ticket Bage Color based of priority
if ($ticket_priority == "High") {
diff --git a/ticket_edit_modal.php b/ticket_edit_modal.php
index ea4f3381..e245648a 100644
--- a/ticket_edit_modal.php
+++ b/ticket_edit_modal.php
@@ -45,7 +45,7 @@
-
+
diff --git a/tickets.php b/tickets.php
index 68904f35..5f2a4ec0 100644
--- a/tickets.php
+++ b/tickets.php
@@ -6,6 +6,12 @@ $o = "DESC";
require_once("inc_all.php");
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
// Ticket status from GET
if (!isset($_GET['status'])) {
// If nothing is set, assume we only want to see open tickets
@@ -261,8 +267,7 @@ $user_active_assigned_tickets = intval($row['total_tickets_assigned']);
$ticket_prefix = htmlentities($row['ticket_prefix']);
$ticket_number = intval($row['ticket_number']);
$ticket_subject = htmlentities($row['ticket_subject']);
- $ticket_details = htmlentities($row['ticket_details']);
- $ticket_details_edit = $row['ticket_details']; // HTML Entities is used in the edit modal this is because tickets and ticket details share the edit modal and to prevent double html encoding causing output yuck
+ $ticket_details = $purifier->purify($row['ticket_details']);
$ticket_priority = htmlentities($row['ticket_priority']);
$ticket_status = htmlentities($row['ticket_status']);
$ticket_created_at = htmlentities($row['ticket_created_at']);