From f7bfeedf54d30516fca38a98e5ef8653c7468ab1 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 2 Jan 2023 15:50:35 +0000
Subject: [PATCH] Escape potential HTML data from ticket reply contact/user
 fields

---
 portal/ticket.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/portal/ticket.php b/portal/ticket.php
index 17c841cf..918d7cca 100644
--- a/portal/ticket.php
+++ b/portal/ticket.php
@@ -112,12 +112,12 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
             $ticket_reply_type = $row['ticket_reply_type'];
 
             if ($ticket_reply_type == "Client") {
-                $ticket_reply_by_display = $row['contact_name'];
+                $ticket_reply_by_display = htmlentities($row['contact_name']);
                 $user_initials = initials($row['contact_name']);
                 $user_avatar = $row['contact_photo'];
                 $avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
             } else {
-                $ticket_reply_by_display = $row['user_name'];
+                $ticket_reply_by_display = htmlentities($row['user_name']);
                 $user_id = $row['user_id'];
                 $user_avatar = $row['user_avatar'];
                 $user_initials = initials($row['user_name']);