From 78ee98e307aba4ebc13b5a5de8a32d0bafe06387 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 16 Jun 2014 16:32:03 -0500
Subject: [PATCH] Fix several XSS vulnerabilities

In both the client and staff interfaces, where the URL and request
parameters were echo'd back without any escaping
---
 include/client/edit.inc.php     | 2 +-
 include/client/tickets.inc.php  | 2 +-
 include/staff/pwreset.login.php | 2 +-
 include/staff/tickets.inc.php   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/client/edit.inc.php b/include/client/edit.inc.php
index 21f2ca726..e01b2df49 100644
--- a/include/client/edit.inc.php
+++ b/include/client/edit.inc.php
@@ -11,7 +11,7 @@ if(!defined('OSTCLIENTINC') || !$thisclient || !$ticket || !$ticket->checkUserAc
 <form action="tickets.php" method="post">
     <?php echo csrf_token(); ?>
     <input type="hidden" name="a" value="edit"/>
-    <input type="hidden" name="id" value="<?php echo $_REQUEST['id']; ?>"/>
+    <input type="hidden" name="id" value="<?php echo Format::htmlchars($_REQUEST['id']); ?>"/>
 <table width="800">
     <tbody id="dynamic-form">
     <?php if ($forms)
diff --git a/include/client/tickets.inc.php b/include/client/tickets.inc.php
index 1c227ba4c..6fb6abaa2 100644
--- a/include/client/tickets.inc.php
+++ b/include/client/tickets.inc.php
@@ -120,7 +120,7 @@ $negorder=$order=='DESC'?'ASC':'DESC'; //Negate the sorting
     </select>
     <input type="submit" value="Go">
 </form>
-<a class="refresh" href="<?php echo $_SERVER['REQUEST_URI']; ?>">Refresh</a>
+<a class="refresh" href="<?php echo Format::htmlchars($_SERVER['REQUEST_URI']); ?>">Refresh</a>
 <table id="ticketTable" width="800" border="0" cellspacing="0" cellpadding="0">
     <caption><?php echo $showing; ?></caption>
     <thead>
diff --git a/include/staff/pwreset.login.php b/include/staff/pwreset.login.php
index 6f93f1f01..8a7455ad8 100644
--- a/include/staff/pwreset.login.php
+++ b/include/staff/pwreset.login.php
@@ -11,7 +11,7 @@ $info = ($_POST)?Format::htmlchars($_POST):array();
     <form action="pwreset.php" method="post">
         <?php csrf_token(); ?>
         <input type="hidden" name="do" value="newpasswd"/>
-        <input type="hidden" name="token" value="<?php echo $_REQUEST['token']; ?>"/>
+        <input type="hidden" name="token" value="<?php echo Format::htmlchars($_REQUEST['token']); ?>"/>
         <fieldset>
             <input type="text" name="userid" id="name" value="<?php echo
                 $info['userid']; ?>" placeholder="username or email"
diff --git a/include/staff/tickets.inc.php b/include/staff/tickets.inc.php
index 47382d556..610d25fa5 100644
--- a/include/staff/tickets.inc.php
+++ b/include/staff/tickets.inc.php
@@ -308,7 +308,7 @@ if ($results) {
 <div style="margin-bottom:20px">
 <form action="tickets.php" method="POST" name='tickets'>
 <?php csrf_token(); ?>
- <a class="refresh" href="<?php echo $_SERVER['REQUEST_URI']; ?>">Refresh</a>
+ <a class="refresh" href="<?php echo Format::htmlchars($_SERVER['REQUEST_URI']); ?>">Refresh</a>
  <input type="hidden" name="a" value="mass_process" >
  <input type="hidden" name="do" id="action" value="" >
  <input type="hidden" name="status" value="<?php echo Format::htmlchars($_REQUEST['status']); ?>" >
-- 
GitLab