Names parsed from incoming emails are stored in the database as is. This
pull request addresses potential XSS vulnerability due to improper display
of unsanitized names. Going forward names will be scrubbed on create.

User::fromVars in class ticket was the root. Eventually, in
DynamicForm::getDynamicFields(), isset($this->id) was used to detect
unsaved, new forms that have not been committed to the database; however,
the isset() method was not implemented for the ORM.

Some versions of PHP (5.3.6 on Windows at least) may corrupt `$ost` if it is
closed off as a global variable.

Fixes #917, #969

Starting with osTicket 1.8.1, users must receive an email and follow a link
in the email to get access to the ticket. With this new option, the email
verification step can be avoided in osTicket 1.9, because access is now only
granted to exactly one ticket.

Several places in the code initialize a list of objects from the database
and only fetch one item. In certain instances (which seem almost like a race
condition), MySQL will feel like there are more records available in the
database and will complain with "Commands out of sync, you can't run the
command now".

This patch addresses the issue by utilizing the ::one() method of the
QuerySet where only one record is expected. The ::one() method is further
designed to fetch all one results (which satisfies the MySQL client library)
and return the first item.

Use the admin-configured time format for formatting the values in the time
dropdown as opposed to always using 24-hour time.

Previously, they were displayed in seemingly random order, did not honor
proper nesting, or declared sort order.

In both the client and staff interfaces, where the URL and request
parameters were echo'd back without any escaping

In both the client and staff interfaces, where the URL and request
parameters were echo'd back without any escaping

Auto assign tickets to organization's account manager only if the flag is set and as
the last resort i.e topic or filters assignment takes precedence.

Add original and last message quotes to canned responses

Centralize how canned responses are formatted
Add ability to quote original and last messages as a canned response

That patch introduced a bug where the list of dynamic fields for a form is
always empty

Affected users should upgrade the token to %{recipient.ticket_link}

New ticket by staff would cause the %{company.name} variable to be
incorrectly replaced as the user's name in email templates.

Previously, once a client was authenticated to the system with an email
link, the user could utilize other email links to other tickets; however,
the same ticket page would be presented to the user regardless of which link
was utilized.

This patch allows the ticket in focus for the user to be changed after
visiting the client portal with a different ticket link.

Otherwise, a user's session cannot be voluntarily destroyed