From 66259c295bccc4c640992bae3bd4e40cdff638c9 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 2 Jan 2023 15:54:37 +0000
Subject: [PATCH] Escape potential HTML data from ticket fields

---
 portal/ticket_view_all.php | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/portal/ticket_view_all.php b/portal/ticket_view_all.php
index 7dc48a2a..2166e3fd 100644
--- a/portal/ticket_view_all.php
+++ b/portal/ticket_view_all.php
@@ -55,12 +55,19 @@ $all_tickets = mysqli_query($mysqli, "SELECT * FROM tickets LEFT JOIN contacts O
         <tbody>
 
         <?php
-        while ($ticket = mysqli_fetch_array($all_tickets)) {
+        while ($row = mysqli_fetch_array($all_tickets)) {
+            $ticket_id = $row['ticket_id'];
+            $ticket_prefix = htmlentities($row['ticket_prefix']);
+            $ticket_number = $row['ticket_number'];
+            $ticket_subject = htmlentities($row['ticket_subject']);
+            $ticket_status = htmlentities($row['ticket_status']);
+            $ticket_contact_name = htmlentities($row['contact_name']);
+            
             echo "<tr>";
-            echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_id]</a></td>";
-            echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
-            echo "<td>$ticket[contact_name]</td>";
-            echo "<td>$ticket[ticket_status]</td>";
+            echo "<td> <a href='ticket.php?id=$ticket_id'> $ticket_prefix$ticket_id</a></td>";
+            echo "<td> <a href='ticket.php?id=$ticket_id'> $ticket_subject</a></td>";
+            echo "<td>$ticket_contact_name</td>";
+            echo "<td>$ticket_status</td>";
             echo "</tr>";
         }
         ?>