- remove bad html-tags in ticket-subject and -message, thx to Edward Fjellskaal
This commit is contained in:
Michael Kaufmann (d00p)
@@ -168,7 +168,7 @@ if($page == 'tickets'
|
|||||||
$newticket->Set('subject', validate($_POST['subject'], 'subject'), true, false);
|
$newticket->Set('subject', validate($_POST['subject'], 'subject'), true, false);
|
||||||
$newticket->Set('priority', validate($_POST['priority'], 'priority'), true, false);
|
$newticket->Set('priority', validate($_POST['priority'], 'priority'), true, false);
|
||||||
$newticket->Set('category', validate($_POST['category'], 'category'), true, false);
|
$newticket->Set('category', validate($_POST['category'], 'category'), true, false);
|
||||||
$newticket->Set('customer', validate($_POST['customer'], 'customer'), true, false);
|
$newticket->Set('customer', (int)$_POST['customer'], true, false);
|
||||||
$newticket->Set('message', validate(str_replace("\r\n", "\n", $_POST['message']), 'message', '/^[^\0]*$/'), true, false);
|
$newticket->Set('message', validate(str_replace("\r\n", "\n", $_POST['message']), 'message', '/^[^\0]*$/'), true, false);
|
||||||
|
|
||||||
if($newticket->Get('subject') == null)
|
if($newticket->Get('subject') == null)
|
||||||
|
|||||||
@@ -16,7 +16,7 @@
|
|||||||
* @package Logger
|
* @package Logger
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
* @link http://www.nutime.de/
|
* @link http://www.nutime.de/
|
||||||
*
|
*
|
||||||
* Support Tickets - Tickets-Class
|
* Support Tickets - Tickets-Class
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@@ -303,7 +303,7 @@ class ticket
|
|||||||
$mailerr_msg = $e->getMessage();
|
$mailerr_msg = $e->getMessage();
|
||||||
$_mailerror = true;
|
$_mailerror = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($_mailerror) {
|
if ($_mailerror) {
|
||||||
$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'ticket_class'), $this->db, $this->settings);
|
$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'ticket_class'), $this->db, $this->settings);
|
||||||
$rstlog->logAction(ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
$rstlog->logAction(ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
||||||
@@ -315,9 +315,9 @@ class ticket
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
$admin = $this->db->query_first("SELECT `name`, `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `adminid`='" . (int)$this->userinfo['adminid'] . "'");
|
$admin = $this->db->query_first("SELECT `name`, `email` FROM `" . TABLE_PANEL_ADMINS . "` WHERE `adminid`='" . (int)$this->userinfo['adminid'] . "'");
|
||||||
|
|
||||||
$_mailerror = false;
|
$_mailerror = false;
|
||||||
try {
|
try {
|
||||||
$mail->SetFrom($this->settings['ticket']['noreply_email'], $this->settings['ticket']['noreply_name']);
|
$mail->SetFrom($this->settings['ticket']['noreply_email'], $this->settings['ticket']['noreply_name']);
|
||||||
$mail->Subject = $mail_subject;
|
$mail->Subject = $mail_subject;
|
||||||
$mail->AltBody = $mail_body;
|
$mail->AltBody = $mail_body;
|
||||||
@@ -331,7 +331,7 @@ class ticket
|
|||||||
$mailerr_msg = $e->getMessage();
|
$mailerr_msg = $e->getMessage();
|
||||||
$_mailerror = true;
|
$_mailerror = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($_mailerror) {
|
if ($_mailerror) {
|
||||||
$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'ticket_class'), $this->db, $this->settings);
|
$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'ticket_class'), $this->db, $this->settings);
|
||||||
$rstlog->logAction(ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
$rstlog->logAction(ADM_ACTION, LOG_ERR, "Error sending mail: " . $mailerr_msg);
|
||||||
@@ -355,7 +355,7 @@ class ticket
|
|||||||
$_order = 1;
|
$_order = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$_db->query('INSERT INTO `' . TABLE_PANEL_TICKET_CATS . '` SET
|
$_db->query('INSERT INTO `' . TABLE_PANEL_TICKET_CATS . '` SET
|
||||||
`name` = "' . $_db->escape($_category) . '",
|
`name` = "' . $_db->escape($_category) . '",
|
||||||
`adminid` = "' . (int)$_admin . '",
|
`adminid` = "' . (int)$_admin . '",
|
||||||
`logicalorder` = "' . (int)$_order . '"');
|
`logicalorder` = "' . (int)$_order . '"');
|
||||||
@@ -378,8 +378,8 @@ class ticket
|
|||||||
if($_order < 1) {
|
if($_order < 1) {
|
||||||
$_order = 1;
|
$_order = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$_db->query('UPDATE `' . TABLE_PANEL_TICKET_CATS . '` SET
|
$_db->query('UPDATE `' . TABLE_PANEL_TICKET_CATS . '` SET
|
||||||
`name` = "' . $_db->escape($_category) . '",
|
`name` = "' . $_db->escape($_category) . '",
|
||||||
`logicalorder` = "' . (int)$_order . '"
|
`logicalorder` = "' . (int)$_order . '"
|
||||||
WHERE `id` = "' . (int)$_id . '"');
|
WHERE `id` = "' . (int)$_id . '"');
|
||||||
@@ -665,16 +665,16 @@ class ticket
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* function customerHasTickets
|
* function customerHasTickets
|
||||||
*
|
*
|
||||||
* @param object mysql-db-object
|
* @param object mysql-db-object
|
||||||
* @param int customer-id
|
* @param int customer-id
|
||||||
*
|
*
|
||||||
* @return array/bool array of ticket-ids if customer has any, else false
|
* @return array/bool array of ticket-ids if customer has any, else false
|
||||||
*/
|
*/
|
||||||
static public function customerHasTickets($_db = null, $_cid = 0)
|
static public function customerHasTickets($_db = null, $_cid = 0)
|
||||||
{
|
{
|
||||||
if($_cid != 0)
|
if($_cid != 0)
|
||||||
{
|
{
|
||||||
$result = $_db->query('SELECT `id` FROM `' . TABLE_PANEL_TICKETS . '` WHERE `customerid` ="'.(int)$_cid.'"');
|
$result = $_db->query('SELECT `id` FROM `' . TABLE_PANEL_TICKETS . '` WHERE `customerid` ="'.(int)$_cid.'"');
|
||||||
|
|
||||||
$tickets = array();
|
$tickets = array();
|
||||||
@@ -682,7 +682,7 @@ class ticket
|
|||||||
{
|
{
|
||||||
$tickets[] = $row['id'];
|
$tickets[] = $row['id'];
|
||||||
}
|
}
|
||||||
|
|
||||||
return $tickets;
|
return $tickets;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -706,11 +706,11 @@ class ticket
|
|||||||
{
|
{
|
||||||
if(strtolower($_var) == 'message')
|
if(strtolower($_var) == 'message')
|
||||||
{
|
{
|
||||||
return str_replace('script>', 'pre>', htmlspecialchars_decode(nl2br($this->t_data[$_var])));
|
return $this->_removeBadTags(htmlspecialchars_decode(nl2br($this->t_data[$_var])));
|
||||||
}
|
}
|
||||||
elseif(strtolower($_var) == 'subject')
|
elseif(strtolower($_var) == 'subject')
|
||||||
{
|
{
|
||||||
return str_replace('script>', 'pre>', htmlspecialchars_decode(nl2br($this->t_data[$_var])));
|
return $this->_removeBadTags(htmlspecialchars_decode(nl2br($this->t_data[$_var])));
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -751,6 +751,30 @@ class ticket
|
|||||||
$this->t_data[$_var] = $_value;
|
$this->t_data[$_var] = $_value;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* removes unwanted HTML-tags from a string
|
||||||
|
*
|
||||||
|
* @param string $s string to be cleaned
|
||||||
|
*
|
||||||
|
* @return string cleaned string
|
||||||
|
*/
|
||||||
|
function _removeBadTags($str = null)
|
||||||
|
{
|
||||||
|
$tags = array('script', 'noframes', 'iframe');
|
||||||
|
$content = '';
|
||||||
|
$stripContent = false;
|
||||||
|
if(!is_array($tags)) {
|
||||||
|
$tags = (strpos($str, '>') !== false ? explode('>', str_replace('<', '', $tags)) : array($tags));
|
||||||
|
if(end($tags) == '') array_pop($tags);
|
||||||
|
}
|
||||||
|
foreach($tags as $tag) {
|
||||||
|
if ($stripContent)
|
||||||
|
$content = '(.+</'.$tag.'[^>]*>|)';
|
||||||
|
$str = preg_replace('#</?'.$tag.'[^>]*>'.$content.'#is', '', $str);
|
||||||
|
}
|
||||||
|
return $str;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|||||||
Reference in New Issue
Block a user