Textarea input cleanup

Reviewed-By: Jared Hancock <jared@osticket.com>

Strip tags on text input field to prevent potential XSS exploit.

Let textarea widgets parse and clean input based on configured text format.
Add cleanup routine to ThreadEntryBody
Clean response/note inputs

Conflicts:

	include/class.forms.php
	include/class.ticket.php

iFrame 

Reviewed-By: Jared Hancock <jared@osticket.com>

Encoded entities can be used to bypass safety checks
Don't remove iframe when using xml_dom to balance tags

Upgrade htmLawed to v 1.1.20

Reviewed-By: Jared Hancock <jared@osticket.com>

Encoded entities can be used to bypass safety checks
Don't remove iframe when using xml_dom to balance tags

On some combinations of operating systems, PHP and libpcre versions, `\s`
will match the iso-8859-x non-breaking-space, 0xa0. This regular expression
will munge the UTF8 encoded version, 0xc2a0 to 0xc220, which is not a valid
UTF8 character.

When inserted into a UTF8 field in mysql, the text will be truncated at and
after the first invalid character.

osTicket supports filtering allowable files on the client-side via JS as
well as server-side on upload.

Ajax based upload skipped server-side validation with the assumption that
the client already validated the file upload. For most cases this is a valid
assumption (ajax only works if JS is enabled) but fails to account for cases
where HTTP requests is intercepted and changed on transit or the request is
posted directly to the ajax interface.

This commit forces server-side file upload validation.

Patch so that topicId can be specified in $_GET

Reviewed-By: Jared Hancock <jared@osticket.com>

Add missing icons in Assigned To column

Reviewed-By: Jared Hancock <jared@osticket.com>

Added primary role tag to agent page

Reviewed-By: Peter Rotich <peter@osticket.com>

Fix a bug with the reactor bar appearing on top of the overlay.

White-list canned attachments

Add canned attachments to allowed files list when a canned response is used.

bounce: Avoid a loop on new message alert to staff

Reviewed-By: Peter Rotich <peter@osticket.com>

Upgrade pear Mail libraries, use header charset for attachment filenames

Reviewed-By: Peter Rotich <peter@osticket.com>

If a new message alert bounced to a staff member and the postmaster sent
back a bounce notice, which was threaded, then the agent might receive
another new message alert, which would continue a bounce loop.

files: Verify files attached to a FileUploadField

Reviewed-By: Peter Rotich <peter@osticket.com>

This fixes a security issue where, by crafting a special POST request to the
client open.php page, an (unauthenticated) user could get a URL link to
access to any attachment already uploaded in the system by guessing or
brute-forcing the file's ID number.

This patch addresses the issue by registering the uploaded file's ID in the
current user's session. When processing the list of file ID's attached to
the FileUploadField, the files must already have been attached to the field
or have been newly attached in the current session.

Fixes #2615

References:
"Security issue - Download attachments submitted by others"
https://github.com/osTicket/osTicket-1.8/issues/2615

reduce memory usage when decoding files

Reviewed-By: Peter Rotich <peter@osticket.com>

Blank page from 'register' link in notification email to guest user.

Reviewed-By: Jared Hancock <jared@osticket.com>

reduce memory usage when storing file in DB

Reviewed-By: Jared Hancock <jared@osticket.com>

include @greezybacon suggestion on fix

Fixes #2350 in `develop`

Fix blank page from 'register' link in email

We have existing clients who do not have an account (yet) on osTicket.  We create a ticket for them from the admin interface (creating a new guest user account) and this results in an email being sent to them with details of a job carried out.  This user can then click on the link in the notification email and view the ticket as guest - and hopefully opt to register an account.

The problem seems to be this - the user clicks on the ticket number in their notification email which lets them view the ticket as a guest - there is then a link to 'register for an account' linked to http://www.example.com/account.php?do=create - but clicking this link results in a blank page.  The PHP error is:

PHP Fatal error:  Call to a member function getField() on a non-object in /home/osticket/public_html/account.php on line 35, referer: http://www.example.com/tickets.php?id=105

This seems to be related to a bug in account.php around line 34.

    // Guest registering for an account                                                                                                      
    if ($thisclient->isGuest()) {
        foreach ($thisclient->getForms() as $f)
            if ($f->get('type') == 'U')
                $user_form = $f;
        $user_form->getField('email')->configure('disabled', true);
    }

If    $f->get('type')   is not equal to 'U' then $user_form does not get set - and therefore:
    $user_form->getField('email')->configure('disabled', true);

results in the 'call member function on a non-object error'.

I think the block should be:

    // Guest registering for an account                                                                                                      
    if ($thisclient->isGuest()) {
        foreach ($thisclient->getForms() as $f)
            if ($f->get('type') == 'U') {
                $user_form = $f;
                $user_form->getField('email')->configure('disabled', true);
            }
    }

Further - to be implicit the foreach statement should have curly braces.

    // Guest registering for an account                                                                                                      
    if ($thisclient->isGuest()) {
        foreach ($thisclient->getForms() as $f) {
            if ($f->get('type') == 'U') {
                $user_form = $f;
                $user_form->getField('email')->configure('disabled', true);
            }
        }
    }