diff --git a/include/class.config.php b/include/class.config.php
index 8f10d777aa31df72875c9704d359c9a85416f9c2..6ce3716b931d710751b6ecc122f31798a7b459fb 100644
--- a/include/class.config.php
+++ b/include/class.config.php
@@ -419,6 +419,11 @@ class OsticketConfig extends Config {
return $this->get('enable_avatars');
}
+ function isTicketLockEnabled() {
+ return (($this->getTicketLockMode() != Lock::MODE_DISABLED)
+ && $this->getLockTime());
+ }
+
function getClientTimeout() {
return $this->getClientSessionTimeout();
}
@@ -1110,6 +1115,8 @@ class OsticketConfig extends Config {
$f['default_timezone']=array('type'=>'string', 'required'=>1, 'error'=>__('Default Timezone is required'));
$f['system_language']=array('type'=>'string', 'required'=>1, 'error'=>__('A primary system language is required'));
+ $vars = Format::htmlchars($vars, true);
+
// Make sure the selected backend is valid
$storagebk = null;
if (isset($vars['default_storage_bk'])) {
diff --git a/include/class.dept.php b/include/class.dept.php
index 8f09237c4b37fc721d4a9a25367984414e9e9afd..2392dc205bd72b630299a568deb9cddf0bff8655 100644
--- a/include/class.dept.php
+++ b/include/class.dept.php
@@ -620,6 +620,21 @@ implements TemplateVariable {
if ($vars['pid'] && !($p = static::lookup($vars['pid'])))
$errors['pid'] = __('Department selection is required');
+ if ($vars['sla_id'] && !SLA::lookup($vars['sla_id']))
+ $errors['sla_id'] = __('Invalid SLA');
+
+ if ($vars['manager_id'] && !Staff::lookup($vars['manager_id']))
+ $errors['manager_id'] = __('Unknown Staff');
+
+ if ($vars['email_id'] && !Email::lookup($vars['email_id']))
+ $errors['email_id'] = __('Unknown System Email');
+
+ if ($vars['tpl_id'] && !EmailTemplateGroup::lookup($vars['tpl_id']))
+ $errors['tpl_id'] = __('Unknown Template Set');
+
+ if ($vars['autoresp_email_id'] && !Email::lookup($vars['autoresp_email_id']))
+ $errors['autoresp_email_id'] = __('Unkown System Email');
+
// Format access update as [array(dept_id, role_id, alerts?)]
$access = array();
if (isset($vars['members'])) {
@@ -634,17 +649,17 @@ implements TemplateVariable {
return false;
$this->pid = $vars['pid'] ?: null;
- $this->ispublic = isset($vars['ispublic'])?$vars['ispublic']:0;
- $this->email_id = isset($vars['email_id'])?$vars['email_id']:0;
- $this->tpl_id = isset($vars['tpl_id'])?$vars['tpl_id']:0;
- $this->sla_id = isset($vars['sla_id'])?$vars['sla_id']:0;
- $this->autoresp_email_id = isset($vars['autoresp_email_id'])?$vars['autoresp_email_id']:0;
+ $this->ispublic = isset($vars['ispublic']) ? (int) $vars['ispublic'] : 0;
+ $this->email_id = isset($vars['email_id']) ? (int) $vars['email_id'] : 0;
+ $this->tpl_id = isset($vars['tpl_id']) ? (int) $vars['tpl_id'] : 0;
+ $this->sla_id = isset($vars['sla_id']) ? (int) $vars['sla_id'] : 0;
+ $this->autoresp_email_id = isset($vars['autoresp_email_id']) ? (int) $vars['autoresp_email_id'] : 0;
$this->manager_id = $vars['manager_id'] ?: 0;
$this->name = Format::striptags($vars['name']);
$this->signature = Format::sanitize($vars['signature']);
$this->group_membership = $vars['group_membership'];
- $this->ticket_auto_response = isset($vars['ticket_auto_response'])?$vars['ticket_auto_response']:1;
- $this->message_auto_response = isset($vars['message_auto_response'])?$vars['message_auto_response']:1;
+ $this->ticket_auto_response = isset($vars['ticket_auto_response']) ? (int) $vars['ticket_auto_response'] : 1;
+ $this->message_auto_response = isset($vars['message_auto_response']) ? (int) $vars['message_auto_response'] : 1;
$this->flags = 0;
$this->setFlag(self::FLAG_ASSIGN_MEMBERS_ONLY, isset($vars['assign_members_only']));
$this->setFlag(self::FLAG_DISABLE_AUTO_CLAIM, isset($vars['disable_auto_claim']));
diff --git a/include/class.format.php b/include/class.format.php
index de7bc98bbd0d409de7ed45c0ac0c09f45a7ba9ea..9b5f0fe5a6efaf7c9e603465d2d55aabadf3df19 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -349,8 +349,13 @@ class Format {
function htmlchars($var, $sanitize = false) {
static $phpversion = null;
- if (is_array($var))
- return array_map(array('Format', 'htmlchars'), $var);
+ if (is_array($var)) {
+ $result = array();
+ foreach ($var as $k => $v)
+ $result[$k] = self::htmlchars($v, $sanitize);
+
+ return $result;
+ }
if ($sanitize)
$var = Format::sanitize($var);
diff --git a/include/class.thread.php b/include/class.thread.php
index 3911f714b672fd98287a9ac5578fbbc3d1567473..082e2536af186a60c5badb54117b1cb9365ea7b5 100644
--- a/include/class.thread.php
+++ b/include/class.thread.php
@@ -1791,8 +1791,8 @@ class ThreadEvents extends InstrumentedList {
}
// XXX: Use $user here
elseif ($thisclient) {
- if ($thisclient->hasAccount)
- $username = $thisclient->getAccount()->getUserName();
+ if ($thisclient->hasAccount())
+ $username = $thisclient->getFullName();
if (!$username)
$username = $thisclient->getEmail();
}
@@ -2191,7 +2191,7 @@ class TextThreadEntryBody extends ThreadEntryBody {
}
function getClean() {
- return Format::stripEmptyLines(parent::getClean());
+ return Format::htmlchars(Format::stripEmptyLines(parent::getClean()), true);
}
function prepend($what) {
diff --git a/include/class.user.php b/include/class.user.php
index 24cae58b9122dc8a5ee3af8ceb9183720e7524d6..f0d5f235d85f14dd2d55efec6590c814f74d3b1d 100644
--- a/include/class.user.php
+++ b/include/class.user.php
@@ -452,7 +452,7 @@ implements TemplateVariable {
db_autocommit(false);
$records = $importer->importCsv(UserForm::getUserForm()->getFields(), $defaults);
foreach ($records as $data) {
- if (!isset($data['email']) || !isset($data['name']))
+ if (!Validator::is_email($data['email']) || empty($data['name']))
throw new ImportError('Both `name` and `email` fields are required');
if (!($user = static::fromVars($data, true, true)))
throw new ImportError(sprintf(__('Unable to import user: %s'),
diff --git a/include/cli/modules/unpack.php b/include/cli/modules/unpack.php
index 75fa1090f3790f7eefed5fac82581fd075de8a60..a156288846bc808f3ceba9783b537013319d89a0 100644
--- a/include/cli/modules/unpack.php
+++ b/include/cli/modules/unpack.php
@@ -210,7 +210,7 @@ class Unpacker extends Module {
), $pipes);
fwrite($pipes[0], "<?php
- include '{$this->destination}/bootstrap.php';
+ include '{$this->source}/bootstrap.php';
print INCLUDE_DIR;
");
fclose($pipes[0]);
diff --git a/include/staff/department.inc.php b/include/staff/department.inc.php
index 2ea8825e35c787bdcba95078a23e50f8e46f1192..85b077388ac726543fe0f2a0512921b533c99b2d 100644
--- a/include/staff/department.inc.php
+++ b/include/staff/department.inc.php
@@ -67,6 +67,7 @@ $info = Format::htmlchars(($errors && $_POST) ? $_POST : $info);
?>><?php echo $name; ?></option>
<?php } ?>
</select>
+ <span class="error"><?php echo $errors['pid']; ?></span>
</td>
</tr>
<tr>
diff --git a/include/staff/helptopic.inc.php b/include/staff/helptopic.inc.php
index 8cb90850d546d9080495833ea95de0d1f5376f1a..79f7763883956325a34a6465e5719dcc0fe52c17 100644
--- a/include/staff/helptopic.inc.php
+++ b/include/staff/helptopic.inc.php
@@ -20,7 +20,7 @@ if($topic && $_REQUEST['a']!='add') {
$qs += array('a' => $_REQUEST['a']);
$forms = TicketForm::objects();
}
-$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
+$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<h2><?php echo $title; ?>
diff --git a/include/staff/system.inc.php b/include/staff/system.inc.php
index a1341fd01a6033254e27785886bb3eb18f3360ea..ecbbe9aa7a04472a0b99e88c8e391edd013dec18 100644
--- a/include/staff/system.inc.php
+++ b/include/staff/system.inc.php
@@ -183,16 +183,18 @@ if (!$lv) { ?>
$p = $info['path'];
if ($info['phar'])
$p = 'phar://' . $p;
+ $manifest = (file_exists($p . '/MANIFEST.php')) ? (include $p . '/MANIFEST.php') : null;
?>
<h3><strong><?php echo Internationalization::getLanguageDescription($info['code']); ?></strong>
- — <?php echo $manifest['Language']; ?>
+ <?php if ($manifest) { ?>
+ — <?php echo $manifest['Language']; ?>
+ <?php } ?>
<?php if ($info['phar'])
Plugin::showVerificationBadge($info['path']); ?>
</h3>
<div><?php echo sprintf('<code>%s</code> — %s', $info['code'],
str_replace(ROOT_DIR, '', $info['path'])); ?>
-<?php if (file_exists($p . '/MANIFEST.php')) {
- $manifest = (include $p . '/MANIFEST.php'); ?>
+<?php if ($manifest) { ?>
<br/> <?php echo __('Version'); ?>: <?php echo $manifest['Version'];
?>, <?php echo sprintf(__('for version %s'),
'v'.($manifest['Phrases-Version'] ?: '1.9')); ?>
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index c786e28468ab527ec60b88aaf24040d65f1601f9..e036785c1222a92c75319f0864b502f52a7af374 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -253,7 +253,10 @@ elseif ($_SESSION[$queue_sort_key][0] == 'relevance') {
}
if (isset($_GET['sort'])) {
- $_SESSION[$queue_sort_key] = array($_GET['sort'], $_GET['dir']);
+ $_SESSION[$queue_sort_key] = array(
+ Format::htmlchars($_GET['sort']),
+ Format::htmlchars($_GET['dir'])
+ );
}
elseif (!isset($_SESSION[$queue_sort_key])) {
$_SESSION[$queue_sort_key] = array($queue_sort_options[0], 0);
diff --git a/scp/forms.php b/scp/forms.php
index 5a4978e0982e98ccfd7d39068e724e6fd2ab1133..da5663a817df06f5068a69e083ddaca6e172a653 100644
--- a/scp/forms.php
+++ b/scp/forms.php
@@ -7,6 +7,7 @@ if($_REQUEST['id'] && !($form=DynamicForm::lookup($_REQUEST['id'])))
$errors['err']=sprintf(__('%s: Unknown or invalid ID.'), __('custom form'));
if($_POST) {
+ $_POST = Format::htmlchars($_POST, true);
$fields = array('title', 'notes', 'instructions');
$required = array('title');
$max_sort = 0;
diff --git a/scp/tickets.php b/scp/tickets.php
index 25e21dfd4e2a4854311393d4d35ccec99195688d..aa0c90339679c184e7d1ccc5283ce4e0a3b1ec35 100644
--- a/scp/tickets.php
+++ b/scp/tickets.php
@@ -90,7 +90,7 @@ if($_POST && !$errors):
if(!$vars['response'])
$errors['response']=__('Response required');
- if ($cfg->getLockTime()) {
+ if ($cfg->isTicketLockEnabled()) {
if (!$lock) {
$errors['err'] = sprintf('%s %s', __('This action requires a lock.'), __('Please try again!'));
}
@@ -147,7 +147,7 @@ if($_POST && !$errors):
$vars['cannedattachments'] ?: array(), $attachments);
$vars['note'] = ThreadEntryBody::clean($vars['note']);
- if ($cfg->getLockTime()) {
+ if ($cfg->isTicketLockEnabled()) {
if (!$lock) {
$errors['err'] = sprintf('%s %s', __('This action requires a lock.'), __('Please try again!'));
}