From 819670653857d625c4b14b0167e8ce447bb8f678 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Thu, 26 Jun 2025 17:13:27 -0400
Subject: [PATCH] Ticket API: Allow HTML into ticket Content and allow
 inserting asset_id

---
 api/v1/tickets/create.php       |  2 +-
 api/v1/tickets/ticket_model.php | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/api/v1/tickets/create.php b/api/v1/tickets/create.php
index c5656319..6d059718 100644
--- a/api/v1/tickets/create.php
+++ b/api/v1/tickets/create.php
@@ -39,7 +39,7 @@ if (!empty($subject)) {
 
     // Insert ticket
     $url_key = randomString(156);
-    $insert_sql = mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_source = 'API', ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 1, ticket_billable = $billable, ticket_vendor_ticket_number = '$vendor_ticket_number', ticket_vendor_id = $vendor_id, ticket_created_by = 0, ticket_assigned_to = $assigned_to, ticket_contact_id = $contact, ticket_url_key = '$url_key', ticket_client_id = $client_id");
+    $insert_sql = mysqli_query($mysqli,"INSERT INTO tickets SET ticket_prefix = '$config_ticket_prefix', ticket_number = $ticket_number, ticket_source = 'API', ticket_subject = '$subject', ticket_details = '$details', ticket_priority = '$priority', ticket_status = 1, ticket_billable = $billable, ticket_vendor_ticket_number = '$vendor_ticket_number', ticket_vendor_id = $vendor_id, ticket_created_by = 0, ticket_assigned_to = $assigned_to, ticket_contact_id = $contact, ticket_asset_id = $asset, ticket_url_key = '$url_key', ticket_client_id = $client_id");
 
     // Check insert & get insert ID
     if ($insert_sql) {
diff --git a/api/v1/tickets/ticket_model.php b/api/v1/tickets/ticket_model.php
index fae861f8..633e6905 100644
--- a/api/v1/tickets/ticket_model.php
+++ b/api/v1/tickets/ticket_model.php
@@ -10,6 +10,14 @@ if (isset($_POST['ticket_contact_id'])) {
     $contact = '0';
 }
 
+if (isset($_POST['ticket_asset_id'])) {
+    $asset = intval($_POST['ticket_asset_id']);
+} elseif ($ticket_row) {
+    $asset = $ticket_row['ticket_asset_id'];
+} else {
+    $asset = '0';
+}
+
 if (isset($_POST['ticket_subject'])) {
     $subject = sanitizeInput($_POST['ticket_subject']);
 } elseif ($ticket_row) {
@@ -29,7 +37,7 @@ if (isset($_POST['ticket_priority'])) {
 
 
 if (isset($_POST['ticket_details'])) {
-    $details = sanitizeInput($_POST['ticket_details']) . "<br>";
+    $details = mysqli_escape_string($mysqli, $_POST['ticket_details'] . "<br>");
 } elseif ($ticket_row) {
     $details = $ticket_row['ticket_details'];
 } else {