From b5ae7b3d8644d75d78c95b5eb40e8f7a7732f513 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sat, 11 Mar 2023 21:24:35 -0500
Subject: [PATCH] Used HTMLPUrify to Purify the output of Tickets, Documents,
 Document Templates. Removed Redundant htmlentities in edit document edit
 ticket etc, Removed Company ID from Document Template Details

---
 client_document_details.php                     |   9 ++++++++-
 client_document_edit_modal.php                  |   2 +-
 client_document_template_details.php            |  11 ++++++++---
 client_document_template_edit_modal.php         |   2 +-
 client_tickets.php                              |   2 +-
 ...14918a13a428a8482a8a449792a5a8747582b5,1.ser | Bin 0 -> 29975 bytes
 post.php                                        |   1 +
 ticket.php                                      |  12 ++++++++++--
 8 files changed, 30 insertions(+), 9 deletions(-)
 create mode 100644 plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser

diff --git a/client_document_details.php b/client_document_details.php
index 79add887..09810852 100644
--- a/client_document_details.php
+++ b/client_document_details.php
@@ -2,6 +2,12 @@
 
 require_once("inc_all_client.php");
 
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
 if (isset($_GET['document_id'])) {
 	$document_id = intval($_GET['document_id']);
 }
@@ -13,7 +19,8 @@ $row = mysqli_fetch_array($sql_document);
 
 $folder_name = htmlentities($row['folder_name']);
 $document_name = htmlentities($row['document_name']);
-$document_content = $row['document_content'];
+$document_content = $purifier->purify(html_entity_decode($row['document_content']));
+//$document_content = $row['document_content'];
 $document_created_at = htmlentities($row['document_created_at']);
 $document_updated_at = htmlentities($row['document_updated_at']);
 $document_folder_id = intval($row['document_folder_id']);
diff --git a/client_document_edit_modal.php b/client_document_edit_modal.php
index 3c0d969a..3abec2ba 100644
--- a/client_document_edit_modal.php
+++ b/client_document_edit_modal.php
@@ -17,7 +17,7 @@
                     </div>
 
                     <div class="form-group">
-                        <textarea class="form-control summernote" name="content"><?php echo htmlentities($document_content); ?></textarea>
+                        <textarea class="form-control summernote" name="content"><?php echo $document_content; ?></textarea>
                     </div>
 
                     <div class="form-group">
diff --git a/client_document_template_details.php b/client_document_template_details.php
index f4f90bf2..b1ac6a4d 100644
--- a/client_document_template_details.php
+++ b/client_document_template_details.php
@@ -2,18 +2,23 @@
 
 require_once("inc_all_client.php");
 
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
 
 if (isset($_GET['document_id'])) {
 	$document_id = intval($_GET['document_id']);
 }
 
-
-$sql_document = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_template = 1 AND document_id = $document_id AND documents.company_id = $session_company_id");
+$sql_document = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_template = 1 AND document_id = $document_id");
 
 $row = mysqli_fetch_array($sql_document);
 
 $document_name = htmlentities($row['document_name']);
-$document_content = $row['document_content'];
+$document_content = $purifier->purify(html_entity_decode($row['document_content']));
+//$document_content = $row['document_content'];
 $document_created_at = htmlentities($row['document_created_at']);
 $document_updated_at = htmlentities($row['document_updated_at']);
 
diff --git a/client_document_template_edit_modal.php b/client_document_template_edit_modal.php
index 2ce6a87c..b5fd252c 100644
--- a/client_document_template_edit_modal.php
+++ b/client_document_template_edit_modal.php
@@ -16,7 +16,7 @@
                     </div>
 
                     <div class="form-group">
-                        <textarea class="form-control summernote" name="content"><?php echo htmlentities($document_content); ?></textarea>
+                        <textarea class="form-control summernote" name="content"><?php echo $document_content; ?></textarea>
                     </div>
 
                 </div>
diff --git a/client_tickets.php b/client_tickets.php
index 06846e68..eee2140a 100644
--- a/client_tickets.php
+++ b/client_tickets.php
@@ -82,7 +82,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                     $ticket_prefix = htmlentities($row['ticket_prefix']);
                     $ticket_number = htmlentities($row['ticket_number']);
                     $ticket_subject = htmlentities($row['ticket_subject']);
-                    $ticket_details = $row['ticket_details'];
+                    $ticket_details = htmlentities($row['ticket_details']);
                     $ticket_priority = htmlentities($row['ticket_priority']);
                     $ticket_status = htmlentities($row['ticket_status']);
                     $ticket_created_at = htmlentities($row['ticket_created_at']);
diff --git a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser
new file mode 100644
index 0000000000000000000000000000000000000000..098257e1910d7685c89faf2f4e4907f49140bfa7
GIT binary patch
literal 29975
zcmeHQ)pO%Yv;Y2-TY0=ysfv@`fcHsYkS$BHB;(5|v1E%`{_0d+W@ct)W@ct)W@f&(
zN3xvc#MvyI=<LbemtAEf&y0F{x_=GRV%x{3?SsBJqPZlrbW020AOwNbbj!73%X1If
zkJ|5z+K<}@krpTZ!4tXNdJ?rS+6SH=TaLBS)PpAsv^;7b#D%XNz~xE%0Qx{z&}g~3
zcko1NpI)GTT1W7hmdA&ZZ5i&t6Sn;bp1w9b7RMoskEZbk<@jD0OKwbRiWf?;7jEYR
z<2x|J?f7#02nIWEAB0+vSRtBH)dYR3nvRA!hBw$dOvg=}=j*g}+&)NQ{^}d>Z=yx$
z?MfoS+uE8QA3U+j`M`*wWtipPh-N@%MRQ{<L=PN8!&&=al|-?n7pUdr$(ukQXnW85
zzDJQF?TtutBUpnJXo}tj?m~}}ZF||Sp#^=)UZ`r}VeI*bQC!&Y^g|&kFbl8@P}TKZ
zc&&=6@W!U4sv0nlRk9*9s9qeSMX$(;8l=dq8cu-Dh<QC&FZ95pY9UlFkrAn^_T#F-
z2t5x`+G?LxzX&bWDE~gI{<d7$0O<aC^#d=7w+$CBvT(4@+l50c)9}iL?PJ7$H`xic
z&~{cO=e{b_g5AEImJBQHIj_pRKoD%_)%4Cgd79K5C3bB2z}}TudPZ3Z+a|JH1MP|}
zf4~@ylvlfEpY#F#QEW{DdG=5wPA$f-3Y;ra9Z7L`>77(Zn+R?LQ<{iMFCxLAJKgpq
zkSq^{h9`T3_ETy20%{LXgzmXbi_LpS5hdwhAG%)XNH$_AglnL|iUDsZr~$Dc=nhY|
ztsp7&)A5U_ACO!n0aGco0A4*D?mI@@cY}loc1A!_`%sa50BnekFTi#nNo_0IvfZKY
zA$SH5`N3@6ns|V9EVX1V#D9q00PJjAUWjlY<*pE}vJ)PPyesV*5OAs$l{<91Wfdy~
z<ydc7q+EkU3b#A9B&w<@)^?jCl-g<mk-Q9`eCRn+32zZtMa_xtUu{N^_3~-S_Du<m
zgMjPh)4OJbUtxN+N;`iM#)s)&SwEOHg2s(4;0a8BukD6RM8X3b5jG;Aol<;0Bica=
zrs<{a23(H>?Y&F))(ypYhX_Ja3T6eM{MNUh@YM66JRlF)m%bE6$PR_xK@(i-9eU)d
zyX|tqTZ<GJ5E-u>SMk8wEPn}d;o2{`>yK=I4(y8t3^f=K8Cc*6I7I}1bY8j=;NoI?
z@%X5|Xw?_T^~Fhj@u<FdTwk2l7iZgx)B4tFed~00s~+^U9`vjp^sFBAtRD2N9`vjp
z^sMgrtnT@&?)j|l`K<2wyzcqD?)kj#`MmD=yzcqD?)kj#`MmD=yzcqD?)jqb`J#U2
zqJHM0ex`L)Kh!#^$8R0g6KEaPGiV*vQ)nI4b7&palV}~)Beag{AzDYfF<QGZTDvh?
zyD?h3F<QGZTDvh?yD?h3F<QGZTDvihcVisy#sKRTxuJk}>h2!Zy<OBTt>dcc%{MQ1
zndZov8u41>CBV&<FRQ!{`spo>6#xvE67N-!bu@qvq4e=Qm#l-03R|#t#FbLAwNE35
z?bdOra&E&p@Bl0-XqmnG0Pa2lFbd?pNlp;ArQ0tKB{$Lm-Zn_mCR~3AU;?x(ar&lI
z@(2b19ZS`X+<7$;K(s|#zHZyvkhOY#K^s!>Z19aXsFLA*uL=LFUR$D^%yY3Q=r~}}
zEoNccC%{3sc8?*zGexe~=TrHJ=V1__^c${bNLM_ods!BET$YqII0h3}J!}^9R9k7^
zMuNS3Wmci)YY)kHQ2Jkh@b!CD25{-vM=yF<I-`&YeA!g`&e0}<jpcfWm%n_GopcOn
z<qCPFIF=OC0o>Ez*1BhLRoi%x5_<N|#{gSHxAMwm{z4WWQ2z?y-T~A2sc|HHw~@Kp
zXn!u>D7+m=4qI~#<mm(X1blL<e4?wzo@)T$c^CjfT2(M@`zLa~GNru+u2{Ig1>sxk
z>#0I=3&zo-&n1Xk)kqK&lOYti4W2#qb(!+f=N#pBQM^|c!{b-DD}tzFgB$Xm%}>B%
zjhLU0x8|pm#1N3JBrDKWfv^`Khn;6p0l%t*_;44aEF-~{I}(9E&_I@JYN1s|!yet`
zPN<C7hsmpmL`@5W{rLJiSZN#$J|G7T@}QMg3iwD$#gBH%r3tw=GQZ{VhlPpvGa3M|
zYZ2mRSuJdzfQfk<F0K+G%6R&#GA#s)s%dQ_*RRUNkifW19C=k{1v}_c&o`;!K@r}H
z=PtqH^MRb}ZWnNRR*sX)7d+gOz2@pNn`ehqYm>9K1(756%5Q5!2V(W$%#7MkF<syh
za6Q84w}Etc;G*>F?88|wJMii4mj;&!5Y2KBDBXKbfT-lmT^SIqw~E8eQY#DLspiPr
zm)3UA*tDt8Na>SAK0>oXp4%9jqp22T=WW3$Felts))h2;HkEvjb{bpmr)yH9w*2bX
zLEa{m1_`q`LjPA1A%V=wIzbWn4dE#(0)G}tP%Evy>(<}?ori?M6@Aw%--Yc*5F*&8
zhHvP*S7l<?_1&v7t4sOW?2PVTepU=}r~HIHZ)=de86HNyq(J&vlS=;qSuMccSCfX`
zap8zE!k<Nq!3M}cjJ;m{XUS&Ymv~;r=-;KQ56Ys-;(P7StIko}dX8b=%9nXZfIsv6
zuuN@3uxOjEb){vSvbuW$*#W>Vm&gj?en3{X6jtf(C;$xLB0t=<pmd{ZoLv)A{?JSL
zcj-JtNk;Iia+u1UcxRr`YsVl8CcJ%7g8euVpr>uQ+M%gcM^PS1(iTJt8}XXok9>U_
zV<r%-yMH%yQ??Gup$BaGG;hqiGOz`UbW5HQ03ZiMujL+YPZd0r4Y~_!JvDe(Tg+wP
zAMn7lz@ROz+#f4__*&(j^8-qO2bR%gnD7o`;#R%0<?HH5WJ7EnwjV!6-cXPrZ%ODY
zP0@0rRi60949(l81iqgwjo|R+J3k);3rkVd*i`P{4N-B!oo)ztz?W1N{0|RJ4DUR+
z_bG;(g9j)f{{I;~s2Q_iIeH3d-uvVzsD^q*jSJG-<^)DgJ*Q?R=`9liOL#k<2P8_X
zcfC`T!djG>-j)kz^qb6^Y$_CXpMvzJ+w>vh*}cdSP)OsxieuQY*8+KUHoK5nu>ww-
zGN4!49kB#4in7Lu<&;<35FR{fis&9FsD=Uy_sNNksPyL;1W4LCKDrS_g}eulwU8zY
zLDrk0RPc<HC+KeTC%iqiUtY*!+UD6Ju7Sg~%`i?QCi!!$=}U#hAF5zPuA<7Jch81?
zouqJS=x=j-;ZS>(?Ypfta3$OK&RPTey<D*WnvHLV?Nd0SxevY~n;V>MuT{*=Vp$+!
zZybq!tzv+S-gy;M9@+trawQdi8|u5VIqy8TgYedCz4MakSg-XCN@RUTSN*=Y_1neE
zz|1$iyw$W0n^rbwCn!dKV>SqpLIJJU$_BCr-ddUQwX%6-?U@=F)<@EJn&#zz;cMOV
z(y73&b<a!co_k{L+f)(A{>D|&1xnz$sfwVbbjw1~DO5<e*|KFPpqKah*H8f`5y}B?
z%lnq~hD&_#O!#6S+0pU6GO19P9Lt8{01XA6?+8nE;Z$w6n$dF|#|F%g&V@@6oO%F5
z<m>|c?{6Hwk0dK#su`xWTHB86`9T=PNt)%wMv^2rBqXVlCh3wPnUW=~q_t#AP*P0t
zBwq@oP>Q5jN~BcEq+BYbjV#HstjMaY$+~RFrfkV8c`e(rBfGLE`*I+MawNxcBBydD
z=W-!$6iJa4MNt(^(G^266-!wuYsFR^1xiFIz7i;*5-G8gD5;Vuxl$+_RZ?YDQK5LR
zs;h=-s+PJ^*Q%{Ls;hdcuLf$UMry1kYN}>xt`_P>lQdaVG*#0yT{ASW+qIRp)@%)`
zGH4!@zX&u`S}N8OE!8qD*9vW;OS-Hpx~glst{b|kTlz|0>$dLbP>fpl^*|5xNRRbI
zPxVaC^+Mkmk|7(40X2UO-7pN(u#A<lHf+N&T*EVbBQQcEGGZe!QX?~RqcAq6WXh&u
zs-|Y@reT_<Wv<M%X`7Denx5&Kff<^S8JmfjnwgoKg}JdLOSTkCwKOQUZCIvdSu1O8
z*-*;bwLHtW0xPsoUBSdkt<1`;!rH8)mAq0`>PlPbD`RD@tkr6@UfC;W<*vMyzY132
zDq6*>WR<S6RlX`#o3*r-*UDO5YioUNtj)ExUai+_d+n^<wYT=y!8%+=>v)~4({;Aa
z*Ts5cOSWt)wrXp(ZX32~TlUIc+qUi4uI<^r9oV5A*|DA2sh!!mUDz8(a%4wwR7Z1k
z$8b!?a#qgTu^q>89VpG_1WxEgPV6L3>SRvt6wbz#T-jAz)zw_xHC)rR+?Bg_ZP#&K
z03E&?xS<=lv75N5o4L7LxEoLMWDjbOd77tthG%+~xAN9dXvXne&+~jQ@Io*0VlVMh
zFY|J*@HW2W%f8~PzUJ$`;hVnYul%)d`;PDWp6~mCANr9W`-z|WnV<WGzX_y34wOI*
zv_KDxzznQl6|4h0Z~`~*0zU|XFo=RUNP;xTf;=dKO(=zOsDx^$g?ea&W@v@0a2?vA
z6S|=n`e6`;VHCz;5~g7m=3x<TA}Nw1B~l|T(jy}>BP&`(>&T9r$c?<nkAf(Sq9~4%
zD2=ixkBVp$OR*d)u^MZ!9z*hIY{jd19ow-JyRjGhaS(@b6vuHAr*RhNaS?A4DUlN;
zQ4=lE6C*JbD_JG$#7>;VO}xZUf+S3$Bu<hfO|m3Uie!^YshldQnrf+@8mXCD=_*~P
zcIu>V>ZN`fq+uGRahjxQnx%PKq?=62<V?xbOw07l$jr>jR@pkUGbeL1FY~h?3$rMT
zvm{HiEX%VZ+vHL%=Sr^TTCV3tZsu0L%GbG_JGq;Cxt|Alm`8b>CwZD@d7c;frjQD`
zPztrs3cWB2v#^R)u`cYwDcr&<{30mAA}Zn{DbgY<@}ej<7*3F#Zm&-bhV+PGxiK$@
zlj&@}SYjB4V+2NG9juG>us%j%18j)V*a%}V7UQrn#$y5|ViRnN&9FJPz?L|M<2Zqn
zcn9y|J-m-o_y8Z`G(N%^oW(hOjPtmFi}(be;xl}XFYqOS5ja5*B+((dM33kb6fq!%
z1Wk+xhF}Sf7!y1p5F#-lro@bx6ANNVVkAxyBuRG2F4-gdBt;I$AxV=Xk|9}=BgZ69
z3ZzI*$SFA^=j4K1cCZfKAv$EI)9H44oqmVv3_8OO-5GV54%^{6;||{uI$~$inRaHK
zd1ujCcCjwrCAws{)9rS9-F}zq4!XlG-5qtAF5Bh0<1XJ7x?*?Iopxv4d3VuW_OKq_
zBYI@7)9dzny?&4C4SK^K-5d3o9^2!3;~w7=dSY+VoAzeCd2i8M_OU+RC;DW+)9?0s
z{eGY75BkGC-5>RtKHKN|<38UP`eJ|5pY~_{d4JJgQW%9(1VvIEs!R2#K1ERjYDm%4
zh+-&~;;1pjQvxMY6KYD$s5!NumIG{n4~PLd=nT4p-k?9A27|$HKo3R(X21@(!Fa$A
zgn>Ai45owGU_Mw3mP2fa4~Zc;><qiZ-mpKUhJ)d7NDoItX2=e?;dsaog`qf{45!1{
za6ViNmo!G>G(nSehwjonx=&N|fF9B`J)#+!r8#;`^Rz&V^n{+$GkQ)h=;a6-;Ui*1
zjyj|6s5k15sL^0F9MPlEh#9dXZZsb8BVi<tCZp+SHkywXqa}keI72Wb(_y+ykLfcM
zGhl`c&5Rg^VHu7YGdv?OA~Rv8%#4{c3ueh;EY1=v$#&Q-+hhAI#SYjZOS2=EVOf@A
z$1KkZtjJE-DLZ55?1Ei#7>9ENM{*sm%k{WEM{xsg$kE)0V>p)MxG~3b0w;14ZpzKL
zIk(`JV{D9%i7`3ujJxCBxId=GgYj@ok4Ix>%#OM7c+8K5u{fTLr{mdpK3<HMJjUZZ
z!ION4@A5sq&r|$>AM!Lm;u)UhIeyIZyuge6grD*=e$FrWrGN>zKnSGJ5xPQ8=nIrE
z5QYLRj08qt1x^?XydVgoFcGH0OqdG`VJTuFE)pUscEqmO6Z;}14#c5IizAT{S&<XR
zA}<P}C{DzwI1}gMLR?O;2|ghv<fJp{PI{C6gqjQ{!wEeZO_&Kg;U?n=KM^M4WHOmf
zW|R43F<DNrDLy5p<g_#GPJ7e-l$s8v!zn!-O_?b><)-5)KNY6pbTXYzXVdv~F<s8E
z89pOs<g7F6&U&-{jG7H*!x=pr&6pWG<7VR-KNDu+Y%-h9X0!QhF<Z{DIX)-m<h(QQ
z&U^FzoSF~j!#O=4&6znn=jP)%KNsfWd@`TTXY=`dF<&mQ1->8_<f60aE_#dpf?5m~
z!v(z<Etmzn;1=TrzYrGUVzQVnW{de^u~;6pj!zyvK0Q0Xc)$1mfDinj5B`u3{jd-J
zh>!fJkN%jC{kV_+girjWPyUoo{j^X2jL-b6&;Fdx{k+frf-n4{FaDA*{jx9rim&{t
zul|~^{kpIJhHw0)Z~m5V{kCuaj_>@g@BW_e{l4%2fgk*#AO4Xa{jneaiJ$zbpZ=Mj
z{kfn2g<t%oU;dR}{k32Jjo<vO-~OH7{k`A+gFpPEKmL<H{j)#+i@*G<zy6!Q{ky;a
zhkyL1fBu(${kMPrkN^Cy|Nfu<JwSCgZkjSR!q1vM(s0iKIdILtcTeqV@RZ4(U4Fa*
z1>_(L0sUDWvO%YLz(jy=shHdEikzUs(op*oedz+ih~?E|xH>7XPEmV#bp}_D%d2y^
zIxVj*;OeZrg2JBgp^NGg)!DqLF7FKg?O86EKC;IeG{ladW^E!v?B&ZifMd5bGPj?7
z2!TMb63E+KHt(vcL+u8rxe9mQ%Clkn94gP2e)OuN@(3K9tG=iozjkT|a)_av>6LzJ
z>lXSsy}LL=<3|hNb#Jxz@$%UE%dA1UPY|)UC*Zd}7N8!~gRPcfduO*kk4x&6duR8x
zoNLuL_U0m?WxI09zA+v~{B&#hdOM+J6CH1x54a<?^JzR8^p+{@*7y}zEzn(C>Hx3V
z@a2If%huhqwkq9p5ZJkVv+DRMG({TJ&XS-aJ7|tOgVK9c2HM(COcyyR53A1(H0H!>
zf@rX3%FSERtK?VoQKOfkRxH8Stl-3M0l8$2@%_CQ%r99C@Wa&%CD>9gSEv;FgMx>#
zrAT(;AECSF#8A+Sjhu-+M>rMsxeR5k5lpF1o&#e?iCpn<xvirFDwd+Z5vaLjdvxR+
zeqI#>M<<^USgnqw!<XHzeU`1(DwkikD1UX?eD;jB`JRSI?%@z(Sr-y`^;Q)0t~|yH
zg%I~A__azSr9@WmKphw0tXt{)(%(XZz)qvQQ*M;)XV*%5Yp(&EnefGvvTDi$f)r(i
zTF{5CmxWR(7LbWlHq_t4LKZMAH+)W{7Aqh~;IG5_7hBnanrhK>XNlSy5ai7_{||AH
B0)GGi

literal 0
HcmV?d00001

diff --git a/post.php b/post.php
index df454853..d7e93f21 100644
--- a/post.php
+++ b/post.php
@@ -7286,6 +7286,7 @@ if(isset($_POST['add_document'])){
     $client_id = intval($_POST['client_id']);
     $name = sanitizeInput($_POST['name']);
     $content = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['content']))));
+
     $content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
     // Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.
 
diff --git a/ticket.php b/ticket.php
index e2efb7ee..6aaac37d 100644
--- a/ticket.php
+++ b/ticket.php
@@ -1,6 +1,12 @@
 <?php
 require_once("inc_all.php");
 
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
 if (isset($_GET['ticket_id'])) {
     $ticket_id = intval($_GET['ticket_id']);
 
@@ -38,7 +44,8 @@ if (isset($_GET['ticket_id'])) {
         $ticket_number = intval($row['ticket_number']);
         $ticket_category = htmlentities($row['ticket_category']);
         $ticket_subject = htmlentities($row['ticket_subject']);
-        $ticket_details = $row['ticket_details'];
+        $ticket_details = $purifier->purify(html_entity_decode($row['ticket_details']));
+        //$ticket_details = $row['ticket_details'];
         $ticket_priority = htmlentities($row['ticket_priority']);
         //Set Ticket Bage Color based of priority
         if ($ticket_priority == "High") {
@@ -313,7 +320,8 @@ if (isset($_GET['ticket_id'])) {
 
                 while ($row = mysqli_fetch_array($sql_ticket_replies)) {
                     $ticket_reply_id = intval($row['ticket_reply_id']);
-                    $ticket_reply = $row['ticket_reply'];
+                    $ticket_reply = $purifier->purify(html_entity_decode($row['ticket_reply']));
+                    //$ticket_reply = $row['ticket_reply'];
                     $ticket_reply_type = htmlentities($row['ticket_reply_type']);
                     $ticket_reply_created_at = htmlentities($row['ticket_reply_created_at']);
                     $ticket_reply_updated_at = htmlentities($row['ticket_reply_updated_at']);