From bf519a9424682467b4d1327ed5191296a663872a Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Tue, 19 Nov 2013 13:14:03 -0600
Subject: [PATCH] Properly encode htmlchars in thread bodies
And avoid double encoding email bodies if html thread is not enabled
---
include/class.api.php | 12 +++++++++++-
include/class.mailfetch.php | 14 +++++---------
include/class.mailparse.php | 14 +++++---------
include/class.thread.php | 6 +++---
4 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/include/class.api.php b/include/class.api.php
index fff9c2dd3..0612fce72 100644
--- a/include/class.api.php
+++ b/include/class.api.php
@@ -310,6 +310,7 @@ class ApiXmlDataParser extends XmlDataParser {
* XML data types
*/
function fixup($current) {
+ global $cfg;
if($current['ticket'])
$current = $current['ticket'];
@@ -336,9 +337,18 @@ class ApiXmlDataParser extends XmlDataParser {
}
if (isset($value['encoding']))
$value['body'] = Format::utf8encode($value['body'], $value['encoding']);
- if (!isset($value['type']) || $value['type'] != 'text/html')
+ // HTML-ize text if html is enabled
+ if ($cfg->isHtmlThreadEnabled()
+ && (!isset($value['type'])
+ || strcasecmp($value['type'], 'text/html')))
$value = sprintf('<pre>%s</pre>',
Format::htmlchars($value['body']));
+ // Text-ify html if html is disabled
+ elseif (!$cfg->isHtmlThreadEnabled()
+ && !strcasecmp($value['type'], 'text/html'))
+ $value = Format::html2text(Format::safe_html(
+ $value['body']), 100, false);
+ // Noop if they content-type matches the html setting
else
$value = $value['body'];
} else if ($key == "attachments") {
diff --git a/include/class.mailfetch.php b/include/class.mailfetch.php
index 824a0358e..3c1804a32 100644
--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -437,16 +437,12 @@ class MailFetcher {
}
}
else {
- if ($body=$this->getPart($mid, 'text/plain', $this->charset)) {
- $body = Format::htmlchars($body);
- }
- elseif ($body=$this->getPart($mid, 'text/html', $this->charset)) {
- $body = Format::html2text(Format::safe_html($body), 100, false);
+ if (!($body=$this->getPart($mid, 'text/plain', $this->charset))) {
+ if ($body=$this->getPart($mid, 'text/html', $this->charset)) {
+ $body = Format::html2text(Format::safe_html($body), 100, false);
+ }
}
- $body = trim($body)
- ? sprintf('<pre>%s</pre>',
- $body)
- : '--';
+ $body = trim($body) ? $body : '--';
}
return $body;
}
diff --git a/include/class.mailparse.php b/include/class.mailparse.php
index 364d58d85..32b0083a6 100644
--- a/include/class.mailparse.php
+++ b/include/class.mailparse.php
@@ -187,16 +187,12 @@ class Mail_Parse {
}
}
else {
- if ($body=$this->getPart($this->struct,'text/plain')) {
- $body = Format::htmlchars($body);
- }
- elseif ($body=$this->getPart($this->struct,'text/html')) {
- $body = Format::html2text(Format::safe_html($body), 100, false);
+ if (!($body=$this->getPart($this->struct,'text/plain'))) {
+ if ($body=$this->getPart($this->struct,'text/html')) {
+ $body = Format::html2text(Format::safe_html($body), 100, false);
+ }
}
- $body = trim($body)
- ? sprintf('<pre>%s</pre>',
- $body)
- : '--';
+ $body = trim($body) ? $body : '--';
}
return $body;
}
diff --git a/include/class.thread.php b/include/class.thread.php
index 0fca591d9..13c2e0dfe 100644
--- a/include/class.thread.php
+++ b/include/class.thread.php
@@ -776,14 +776,14 @@ Class ThreadEntry {
unset($a);
}
- $vars['body'] = Format::sanitize($vars['body'],
- !$cfg->isHtmlThreadEnabled());
if (!$cfg->isHtmlThreadEnabled()) {
// Data in the database is assumed to be HTML, change special
// plain text XML characters
$vars['title'] = Format::htmlchars($vars['title']);
- $vars['body'] = Format::htmlchars($vars['body']);
+ $vars['body'] = sprintf('<pre>%s</pre>',
+ Format::htmlchars($vars['body']));
}
+ $vars['body'] = Format::sanitize($vars['body']);
$sql=' INSERT INTO '.TICKET_THREAD_TABLE.' SET created=NOW() '
.' ,thread_type='.db_input($vars['type'])
--
GitLab