From be5bf1853e84a92c39a31c0473520ddd837b4d8e Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Mon, 26 Feb 2024 15:58:28 -0500
Subject: [PATCH] Sanitize From Name and From Email Output in bulk mail as its
 not sanitized when the vars are grabbed from get_settings.php

---
 admin_bulk_mail.php  | 16 ++++++++--------
 client_bulk_mail.php | 16 ++++++++--------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/admin_bulk_mail.php b/admin_bulk_mail.php
index a61ead5c..d7febe65 100644
--- a/admin_bulk_mail.php
+++ b/admin_bulk_mail.php
@@ -39,14 +39,14 @@ $sql = mysqli_query($mysqli, "SELECT * FROM contacts
                     
                     <div class="form-group">
                         <select type="text" class="form-control select2" name="mail_from">
-                            <option value="<?php echo $config_mail_from_email; ?>">
-                                <?php echo "$config_mail_from_name - $config_mail_from_email"; ?></option>
-                            <option value="<?php echo $config_invoice_from_email; ?>">
-                                <?php echo "$config_invoice_from_name - $config_invoice_from_email"; ?></option>
-                            <option value="<?php echo $config_quote_from_email; ?>">
-                                <?php echo "$config_quote_from_name - $config_quote_from_email"; ?></option>
-                            <option value="<?php echo $config_ticket_from_email; ?>">
-                                <?php echo "$config_ticket_from_name - $config_ticket_from_email"; ?></option>
+                            <option value="<?php echo nullable_htmlentities($config_mail_from_email); ?>">
+                                <?php echo nullable_htmlentities("$config_mail_from_name - $config_mail_from_email"); ?></option>
+                            <option value="<?php echo nullable_htmlentities($config_invoice_from_email); ?>">
+                                <?php echo nullable_htmlentities("$config_invoice_from_name - $config_invoice_from_email"); ?></option>
+                            <option value="<?php echo nullable_htmlentities($config_quote_from_email); ?>">
+                                <?php echo nullable_htmlentities("$config_quote_from_name - $config_quote_from_email"); ?></option>
+                            <option value="<?php echo nullable_htmlentities($config_ticket_from_email); ?>">
+                                <?php echo nullable_htmlentities("$config_ticket_from_name - $config_ticket_from_email"); ?></option>
                         </select>
                     </div>
 
diff --git a/client_bulk_mail.php b/client_bulk_mail.php
index ccf9dd7b..609ded2b 100644
--- a/client_bulk_mail.php
+++ b/client_bulk_mail.php
@@ -34,14 +34,14 @@ $sql = mysqli_query($mysqli, "SELECT * FROM contacts
 
                         <div class="form-group">
                             <select type="text" class="form-control select2" name="mail_from">
-                                <option value="<?php echo $config_mail_from_email; ?>">
-                                    <?php echo "$config_mail_from_name - $config_mail_from_email"; ?></option>
-                                <option value="<?php echo $config_invoice_from_email; ?>">
-                                    <?php echo "$config_invoice_from_name - $config_invoice_from_email"; ?></option>
-                                <option value="<?php echo $config_quote_from_email; ?>">
-                                    <?php echo "$config_quote_from_name - $config_quote_from_email"; ?></option>
-                                <option value="<?php echo $config_ticket_from_email; ?>">
-                                    <?php echo "$config_ticket_from_name - $config_ticket_from_email"; ?></option>
+                                <option value="<?php echo nullable_htmlentities($config_mail_from_email); ?>">
+                                    <?php echo nullable_htmlentities("$config_mail_from_name - $config_mail_from_email"); ?></option>
+                                <option value="<?php echo nullable_htmlentities($config_invoice_from_email); ?>">
+                                    <?php echo nullable_htmlentities("$config_invoice_from_name - $config_invoice_from_email"); ?></option>
+                                <option value="<?php echo nullable_htmlentities($config_quote_from_email); ?>">
+                                    <?php echo nullable_htmlentities("$config_quote_from_name - $config_quote_from_email"); ?></option>
+                                <option value="<?php echo nullable_htmlentities($config_ticket_from_email); ?>">
+                                    <?php echo nullable_htmlentities("$config_ticket_from_name - $config_ticket_from_email"); ?></option>
                             </select>
                         </div>