From 5e0c641a022b80b5e7f3db921c834ba6ee5e7a35 Mon Sep 17 00:00:00 2001
From: "Florian Aders (EleRas)" <eleras@froxlor.org>
Date: Sat, 19 Mar 2011 13:14:28 +0100
Subject: [PATCH] Fixing a XSS - vulnerability discovered by tomreyn

Signed-off-by: Florian Aders (EleRas) <eleras@froxlor.org>
---
 admin_tickets.php                             | 27 ++++++++++---------
 .../admin/ticket/formfield.ticket_reply.php   |  2 +-
 .../function.htmlentities_array.php           |  2 +-
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/admin_tickets.php b/admin_tickets.php
index 2727d3c5..27e8e092 100644
--- a/admin_tickets.php
+++ b/admin_tickets.php
@@ -655,7 +655,6 @@ elseif($page == 'archive'
 				{
 					if($paging->checkDisplay($i))
 					{
-						$ticket = htmlentities_array($ticket);
 						$ticket['lastchange'] = date("d.m.y H:i", $ticket['lastchange']);
 
 						if($_cid != $ticket['customerid'])
@@ -690,6 +689,8 @@ elseif($page == 'archive'
 							$ticket['subject'] = substr($ticket['subject'], 0, 17) . '...';
 						}
 
+						$ticket = htmlentities_array($ticket);
+
 						eval("\$tickets.=\"" . getTemplate("ticket/archived_tickets") . "\";");
 						$count++;
 						$_cid = $ticket['customerid'];
@@ -732,16 +733,16 @@ elseif($page == 'archive'
 				}
 			}
 
-			$priorities_options = makecheckbox('priority1', $lng['ticket']['unf_high'], '1');
-			$priorities_options.= makecheckbox('priority2', $lng['ticket']['unf_normal'], '2');
-			$priorities_options.= makecheckbox('priority3', $lng['ticket']['unf_low'], '3');
+			$priorities_options = makecheckbox('priority1', htmlentities($lng['ticket']['unf_high']), '1');
+			$priorities_options.= makecheckbox('priority2', htmlentities($lng['ticket']['unf_normal']), '2');
+			$priorities_options.= makecheckbox('priority3', htmlentities($lng['ticket']['unf_low']), '3');
 			$category_options = '';
 			$ccount = 0;
 			$result = $db->query('SELECT * FROM `' . TABLE_PANEL_TICKET_CATS . '` ORDER BY `name` ASC');
 
 			while($row = $db->fetch_array($result))
 			{
-				$category_options.= makecheckbox('category' . $ccount, $row['name'], $row['id'], true);
+				$category_options.= makecheckbox('category' . $ccount, htmlentities($row['name']), $row['id'], true);
 				$ccount++;
 			}
 
@@ -776,8 +777,8 @@ elseif($page == 'archive'
 			$by = $lng['ticket']['customer'];
 		}
 
-		$subject = $mainticket->Get('subject');
-		$message = $mainticket->Get('message');
+		$subject = htmlentities($mainticket->Get('subject'));
+		$message = htmlentities($mainticket->Get('message'));
 		eval("\$ticket_replies.=\"" . getTemplate("ticket/tickets_tickets_main") . "\";");
 		$result = $db->query('SELECT `name` FROM `' . TABLE_PANEL_TICKET_CATS . '`
                               WHERE `id`="' . (int)$mainticket->Get('category') . '"');
@@ -798,15 +799,15 @@ elseif($page == 'archive'
 				$by = $lng['ticket']['customer'];
 			}
 
-			$subject = $subticket->Get('subject');
-			$message = $subticket->Get('message');
+			$subject = htmlentities($subticket->Get('subject'));
+			$message = htmlentities($subticket->Get('message'));
 			eval("\$ticket_replies.=\"" . getTemplate("ticket/tickets_tickets_list") . "\";");
 		}
 
-		$priorities = makeoption($lng['ticket']['high'], '1', $mainticket->Get('priority'), true, true);
-		$priorities.= makeoption($lng['ticket']['normal'], '2', $mainticket->Get('priority'), true, true);
-		$priorities.= makeoption($lng['ticket']['low'], '3', $mainticket->Get('priority'), true, true);
-		$subject = $mainticket->Get('subject');
+		$priorities = makeoption($lng['ticket']['high'], '1', htmlentities($mainticket->Get('priority')), true, true);
+		$priorities.= makeoption($lng['ticket']['normal'], '2', htmlentities($mainticket->Get('priority')), true, true);
+		$priorities.= makeoption($lng['ticket']['low'], '3', htmlentities($mainticket->Get('priority')), true, true);
+		$subject = htmlentities($mainticket->Get('subject'));
 		$ticket_replies_count = $db->num_rows($andere) + 1;
 
 		// don't forget the main-ticket!
diff --git a/lib/formfields/admin/ticket/formfield.ticket_reply.php b/lib/formfields/admin/ticket/formfield.ticket_reply.php
index 423afc51..2386f942 100644
--- a/lib/formfields/admin/ticket/formfield.ticket_reply.php
+++ b/lib/formfields/admin/ticket/formfield.ticket_reply.php
@@ -38,7 +38,7 @@ return array(
 					'category' => array(
 						'label' => $lng['ticket']['category'],
 						'type' => 'label',
-						'value' => $row['name']
+						'value' => htmlentities($row['name']),
 					),
 					'message' => array(
 						'style' => 'vertical-align:top;',
diff --git a/lib/functions/phphelpers/function.htmlentities_array.php b/lib/functions/phphelpers/function.htmlentities_array.php
index fa38d661..9e7f973b 100644
--- a/lib/functions/phphelpers/function.htmlentities_array.php
+++ b/lib/functions/phphelpers/function.htmlentities_array.php
@@ -29,7 +29,7 @@
  * @author Florian Lippert <flo@syscp.org>
  */
 
-function htmlentities_array($subject, $fields = '', $quote_style = ENT_COMPAT, $charset = 'ISO-8859-1')
+function htmlentities_array($subject, $fields = '', $quote_style = ENT_QUOTES, $charset = 'ISO-8859-1')
 {
 	if(is_array($subject))
 	{