diff --git a/include/class.config.php b/include/class.config.php
index d0a735e7db0f94cfcb231b053218af27f9a4f5e3..8cd3012e74920e916c7a45d518d7fc903cd153cc 100644
--- a/include/class.config.php
+++ b/include/class.config.php
@@ -419,6 +419,11 @@ class OsticketConfig extends Config {
return $this->get('enable_avatars');
}
+ function isTicketLockEnabled() {
+ return (($this->getTicketLockMode() != Lock::MODE_DISABLED)
+ && $this->getLockTime());
+ }
+
function getClientTimeout() {
return $this->getClientSessionTimeout();
}
@@ -1106,6 +1111,8 @@ class OsticketConfig extends Config {
$f['default_timezone']=array('type'=>'string', 'required'=>1, 'error'=>__('Default Timezone is required'));
$f['system_language']=array('type'=>'string', 'required'=>1, 'error'=>__('A primary system language is required'));
+ $vars = Format::htmlchars($vars, true);
+
// Make sure the selected backend is valid
$storagebk = null;
if (isset($vars['default_storage_bk'])) {
diff --git a/include/class.dept.php b/include/class.dept.php
index 387e8f7fa4fb4e8a6802a18e49951a49d2ef33c2..fe8ded86e6aba9c5371c6ea6b46e1e861d7bf62e 100644
--- a/include/class.dept.php
+++ b/include/class.dept.php
@@ -761,6 +761,21 @@ implements TemplateVariable, Searchable {
if($dept && !$dept->isActive())
$errors['dept_id'] = sprintf(__('%s selected must be active'), __('Parent Department'));
+ if ($vars['sla_id'] && !SLA::lookup($vars['sla_id']))
+ $errors['sla_id'] = __('Invalid SLA');
+
+ if ($vars['manager_id'] && !Staff::lookup($vars['manager_id']))
+ $errors['manager_id'] = __('Unknown Staff');
+
+ if ($vars['email_id'] && !Email::lookup($vars['email_id']))
+ $errors['email_id'] = __('Unknown System Email');
+
+ if ($vars['tpl_id'] && !EmailTemplateGroup::lookup($vars['tpl_id']))
+ $errors['tpl_id'] = __('Unknown Template Set');
+
+ if ($vars['autoresp_email_id'] && !Email::lookup($vars['autoresp_email_id']))
+ $errors['autoresp_email_id'] = __('Unkown System Email');
+
// Format access update as [array(dept_id, role_id, alerts?)]
$access = array();
if (isset($vars['members'])) {
@@ -775,11 +790,11 @@ implements TemplateVariable, Searchable {
return false;
$this->pid = $vars['pid'] ?: null;
- $this->ispublic = isset($vars['ispublic'])?$vars['ispublic']:0;
- $this->email_id = isset($vars['email_id'])?$vars['email_id']:0;
- $this->tpl_id = isset($vars['tpl_id'])?$vars['tpl_id']:0;
- $this->sla_id = isset($vars['sla_id'])?$vars['sla_id']:0;
- $this->autoresp_email_id = isset($vars['autoresp_email_id'])?$vars['autoresp_email_id']:0;
+ $this->ispublic = isset($vars['ispublic']) ? (int) $vars['ispublic'] : 0;
+ $this->email_id = isset($vars['email_id']) ? (int) $vars['email_id'] : 0;
+ $this->tpl_id = isset($vars['tpl_id']) ? (int) $vars['tpl_id'] : 0;
+ $this->sla_id = isset($vars['sla_id']) ? (int) $vars['sla_id'] : 0;
+ $this->autoresp_email_id = isset($vars['autoresp_email_id']) ? (int) $vars['autoresp_email_id'] : 0;
$this->manager_id = $vars['manager_id'] ?: 0;
$this->name = Format::striptags($vars['name']);
$this->signature = Format::sanitize($vars['signature']);
diff --git a/include/class.format.php b/include/class.format.php
index 2463271c875b24e85b6a50039690096cddfb2127..96764f2027126caa966f0bcad2b3119ff83030ef 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -350,8 +350,13 @@ class Format {
function htmlchars($var, $sanitize = false) {
static $phpversion = null;
- if (is_array($var))
- return array_map(array('Format', 'htmlchars'), $var);
+ if (is_array($var)) {
+ $result = array();
+ foreach ($var as $k => $v)
+ $result[$k] = self::htmlchars($v, $sanitize);
+
+ return $result;
+ }
if ($sanitize)
$var = Format::sanitize($var);
diff --git a/include/class.thread.php b/include/class.thread.php
index 66b339d0ac6837b42091eb177e606f1aedf148bc..e8da34ca0e93b089a4f2c800cd25d6ba203979cd 100644
--- a/include/class.thread.php
+++ b/include/class.thread.php
@@ -2082,8 +2082,8 @@ class ThreadEvents extends InstrumentedList {
}
// XXX: Use $user here
elseif ($thisclient) {
- if ($thisclient->hasAccount)
- $username = $thisclient->getAccount()->getUserName();
+ if ($thisclient->hasAccount())
+ $username = $thisclient->getFullName();
if (!$username)
$username = $thisclient->getEmail();
}
@@ -2527,7 +2527,7 @@ class TextThreadEntryBody extends ThreadEntryBody {
}
function getClean() {
- return Format::stripEmptyLines(parent::getClean());
+ return Format::htmlchars(Format::stripEmptyLines(parent::getClean()), true);
}
function prepend($what) {
diff --git a/include/class.user.php b/include/class.user.php
index 4681b3fd1a8aa596bead9462a87a2cfcd2e2a1dc..f6660d16f0123397d884c64b4b676a55af411f70 100644
--- a/include/class.user.php
+++ b/include/class.user.php
@@ -507,7 +507,7 @@ implements TemplateVariable, Searchable {
db_autocommit(false);
$records = $importer->importCsv(UserForm::getUserForm()->getFields(), $defaults);
foreach ($records as $data) {
- if (!isset($data['email']) || !isset($data['name']))
+ if (!Validator::is_email($data['email']) || empty($data['name']))
throw new ImportError('Both `name` and `email` fields are required');
if (!($user = static::fromVars($data, true, true)))
throw new ImportError(sprintf(__('Unable to import user: %s'),
diff --git a/include/cli/modules/unpack.php b/include/cli/modules/unpack.php
index 75fa1090f3790f7eefed5fac82581fd075de8a60..a156288846bc808f3ceba9783b537013319d89a0 100644
--- a/include/cli/modules/unpack.php
+++ b/include/cli/modules/unpack.php
@@ -210,7 +210,7 @@ class Unpacker extends Module {
), $pipes);
fwrite($pipes[0], "<?php
- include '{$this->destination}/bootstrap.php';
+ include '{$this->source}/bootstrap.php';
print INCLUDE_DIR;
");
fclose($pipes[0]);
diff --git a/include/staff/helptopic.inc.php b/include/staff/helptopic.inc.php
index 23e813d373289f5cff31b169214b4cc96dab78b3..e38af8be1514350de5b66829c8c016b1d95da50b 100644
--- a/include/staff/helptopic.inc.php
+++ b/include/staff/helptopic.inc.php
@@ -20,7 +20,7 @@ if($topic && $_REQUEST['a']!='add') {
$qs += array('a' => $_REQUEST['a']);
$forms = TicketForm::objects();
}
-$info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
+$info=Format::htmlchars(($errors && $_POST)?$_POST:$info, true);
?>
<h2><?php echo $title; ?>
diff --git a/include/staff/system.inc.php b/include/staff/system.inc.php
index a1341fd01a6033254e27785886bb3eb18f3360ea..ecbbe9aa7a04472a0b99e88c8e391edd013dec18 100644
--- a/include/staff/system.inc.php
+++ b/include/staff/system.inc.php
@@ -183,16 +183,18 @@ if (!$lv) { ?>
$p = $info['path'];
if ($info['phar'])
$p = 'phar://' . $p;
+ $manifest = (file_exists($p . '/MANIFEST.php')) ? (include $p . '/MANIFEST.php') : null;
?>
<h3><strong><?php echo Internationalization::getLanguageDescription($info['code']); ?></strong>
- — <?php echo $manifest['Language']; ?>
+ <?php if ($manifest) { ?>
+ — <?php echo $manifest['Language']; ?>
+ <?php } ?>
<?php if ($info['phar'])
Plugin::showVerificationBadge($info['path']); ?>
</h3>
<div><?php echo sprintf('<code>%s</code> — %s', $info['code'],
str_replace(ROOT_DIR, '', $info['path'])); ?>
-<?php if (file_exists($p . '/MANIFEST.php')) {
- $manifest = (include $p . '/MANIFEST.php'); ?>
+<?php if ($manifest) { ?>
<br/> <?php echo __('Version'); ?>: <?php echo $manifest['Version'];
?>, <?php echo sprintf(__('for version %s'),
'v'.($manifest['Phrases-Version'] ?: '1.9')); ?>
diff --git a/scp/forms.php b/scp/forms.php
index 5a4978e0982e98ccfd7d39068e724e6fd2ab1133..da5663a817df06f5068a69e083ddaca6e172a653 100644
--- a/scp/forms.php
+++ b/scp/forms.php
@@ -7,6 +7,7 @@ if($_REQUEST['id'] && !($form=DynamicForm::lookup($_REQUEST['id'])))
$errors['err']=sprintf(__('%s: Unknown or invalid ID.'), __('custom form'));
if($_POST) {
+ $_POST = Format::htmlchars($_POST, true);
$fields = array('title', 'notes', 'instructions');
$required = array('title');
$max_sort = 0;
diff --git a/scp/tickets.php b/scp/tickets.php
index e6f668aeb2b551df1ce9ce2e431c4164c9283de4..450403f99b1639037ba303f06f8cbfbb99c944fe 100644
--- a/scp/tickets.php
+++ b/scp/tickets.php
@@ -154,7 +154,7 @@ if($_POST && !$errors):
if(!$vars['response'])
$errors['response']=__('Response required');
- if ($cfg->getLockTime()) {
+ if ($cfg->isTicketLockEnabled()) {
if (!$lock) {
$errors['err'] = sprintf('%s %s', __('This action requires a lock.'), __('Please try again!'));
}
@@ -216,7 +216,7 @@ if($_POST && !$errors):
$vars['cannedattachments'] ?: array(), $attachments);
$vars['note'] = ThreadEntryBody::clean($vars['note']);
- if ($cfg->getLockTime()) {
+ if ($cfg->isTicketLockEnabled()) {
if (!$lock) {
$errors['err'] = sprintf('%s %s', __('This action requires a lock.'), __('Please try again!'));
}