From 79dc34da9202ff6ffea24439debb10459d140949 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 2 Jan 2023 13:48:16 +0000
Subject: [PATCH] Escape potential HTML characters in usernames (ticket
 collision detection)

---
 ajax.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ajax.php b/ajax.php
index 52c5d5c6..8f54e5eb 100644
--- a/ajax.php
+++ b/ajax.php
@@ -190,10 +190,10 @@ if (isset($_GET['ticket_query_views'])) {
         $users = array_unique($users);
         if (count($users) > 1) {
             // Multiple viewers
-            $response['message'] = implode(", ", $users) . " are viewing this ticket.";
+            $response['message'] = htmlentities(implode(", ", $users) . " are viewing this ticket.");
         } else {
             // Single viewer
-            $response['message'] = implode("", $users) . " is viewing this ticket.";
+            $response['message'] = htmlentities(implode("", $users) . " is viewing this ticket.");
         }
     } else {
         // No viewers