From bca3d537f2853ecf761f287ffed115b5408c5b48 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Tue, 30 Jul 2013 19:44:11 +0000
Subject: [PATCH] Assume text from the web user interface is not html

---
 include/class.thread.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/class.thread.php b/include/class.thread.php
index f45c0e518..9b4853a42 100644
--- a/include/class.thread.php
+++ b/include/class.thread.php
@@ -146,6 +146,10 @@ class Thread {
         //Add ticket Id.
         $vars['ticketId'] = $this->getTicketId();
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Note::create($vars, $errors);
     }
 
@@ -154,6 +158,10 @@ class Thread {
         $vars['ticketId'] = $this->getTicketId();
         $vars['staffId'] = 0;
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Message::create($vars, $errors);
     }
 
@@ -161,6 +169,10 @@ class Thread {
 
         $vars['ticketId'] = $this->getTicketId();
 
+        // DELME: When HTML / rich-text is supported
+        $vars['title'] = Format::htmlchars($vars['title']);
+        $vars['body'] = Format::htmlchars($vars['body']);
+
         return Response::create($vars, $errors);
     }
 
-- 
GitLab