From 9916214f79639b617aa5d180765f0f6a7551364e Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Fri, 2 May 2014 14:13:53 -0500
Subject: [PATCH] security: Remove potential XSS vulnerability

The ThreadEntryWidget has a potential cross site scripting (XSS)
vulnerability if data was posted directly to the page hosting the widget

Vulnerable URLs:
view.php, open.php, scp/open.php, scp/tickets.php

The content received in the HTTP POST is now correctly escaped when it is
echoed back to the user agent.
---
 include/class.forms.php | 5 +++--
 open.php                | 4 +++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/include/class.forms.php b/include/class.forms.php
index 10322eae1..5253fa55a 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -1200,7 +1200,7 @@ class ThreadEntryWidget extends Widget {
         ?><div style="margin-bottom:0.5em;margin-top:0.5em"><strong><?php
         echo Format::htmlchars($this->field->get('label'));
         ?></strong>:</div>
-        <textarea name="<?php echo $this->field->get('name'); ?>"
+        <textarea style="width:100%;" name="<?php echo $this->field->get('name'); ?>"
             placeholder="<?php echo Format::htmlchars($this->field->get('hint')); ?>"
             <?php if (!$client) { ?>
                 data-draft-namespace="ticket.staff"
@@ -1210,7 +1210,7 @@ class ThreadEntryWidget extends Widget {
             <?php } ?>
             class="richtext draft draft-delete ifhtml"
             cols="21" rows="8" style="width:80%;"><?php echo
-            $this->value; ?></textarea>
+            Format::htmlchars($this->value); ?></textarea>
     <?php
     }
 
@@ -1221,6 +1221,7 @@ class ThreadEntryWidget extends Widget {
             && !$cfg->allowAttachmentsOnlogin())
             || ($cfg->allowAttachmentsOnlogin()
                 && ($thisclient && $thisclient->isValid()))) { ?>
+        <div class="clear"><div>
         <hr/>
         <div><strong style="padding-right:1em;vertical-align:top">Attachments: </strong>
         <div style="display:inline-block">
diff --git a/open.php b/open.php
index 4cb7684a8..474ad175e 100644
--- a/open.php
+++ b/open.php
@@ -42,10 +42,12 @@ if($_POST):
     if (!$errors && $cfg->allowOnlineAttachments() && $_FILES['attachments'])
         $vars['files'] = AttachmentFile::format($_FILES['attachments'], true);
 
+    // Drop the draft.. If there are validation errors, the content
+    // submitted will be displayed back to the user
+    Draft::deleteForNamespace('ticket.client.'.substr(session_id(), -12));
     //Ticket::create...checks for errors..
     if(($ticket=Ticket::create($vars, $errors, SOURCE))){
         $msg='Support ticket request created';
-        Draft::deleteForNamespace('ticket.client.'.substr(session_id(), -12));
         // Save the form data from the help-topic form, if any
         if ($form) {
             $form->setTicketId($ticket->getId());
-- 
GitLab