From e32439cc4c35d88f4ff4c910fae4ec4ff23202fb Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 2 Jan 2023 15:24:30 +0000
Subject: [PATCH] Escape potential HTML from ticket fields

---
 portal/index.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/portal/index.php b/portal/index.php
index 50f5858c..9f20d98e 100644
--- a/portal/index.php
+++ b/portal/index.php
@@ -86,11 +86,17 @@ $total_tickets = $row['total_tickets'];
           <tbody>
 
             <?php
-            while ($ticket = mysqli_fetch_array($contact_tickets)) {
+            while ($row = mysqli_fetch_array($contact_tickets)) {
+                $ticket_id = $row['ticket_id'];
+                $ticket_prefix = htmlentities($row['ticket_prefix']);
+                $ticket_number = $row['ticket_number'];
+                $ticket_subject = htmlentities($row['ticket_subject']);
+                $ticket_status = htmlentities($row['ticket_status']);
+
                 echo "<tr>";
-                echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_prefix]$ticket[ticket_number]</a></td>";
-                echo "<td> <a href='ticket.php?id=$ticket[ticket_id]'> $ticket[ticket_subject]</a></td>";
-                echo "<td>$ticket[ticket_status]</td>";
+                echo "<td> <a href='ticket.php?id=$ticket_id'> $ticket_prefix$ticket_number</a></td>";
+                echo "<td> <a href='ticket.php?id=$ticket_id'> $ticket_subject</a></td>";
+                echo "<td>$ticket_status</td>";
                 echo "</tr>";
             }
             ?>