Assume text from the web user interface is not html

include/class.thread.php

@@ -146,6 +146,10 @@ class Thread {
         //Add ticket Id.
         $vars['ticketId'] = $this->getTicketId();
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Note::create($vars, $errors);
     }
 
@@ -154,6 +158,10 @@ class Thread {
         $vars['ticketId'] = $this->getTicketId();
         $vars['staffId'] = 0;
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Message::create($vars, $errors);
     }
 
@@ -161,6 +169,10 @@ class Thread {
 
         $vars['ticketId'] = $this->getTicketId();
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Response::create($vars, $errors);
     }