In some cases, a POST might be sent to the server and there be no draft. In
such a case, neither the draft nor the body of the page can be inspected for
images. Even worse, in some cases the previous images might be unlinked from
the article without being relinked. Therefore, the images will no longer be
linked to the page and will likely be purged from the system.

Previously, the code would scan the email headers until it found a positive
match from any of the email headers scanned. Additionally, it would attempt
to find the user from the tagged email references header. However, this
algorithm assumed that the references header was constant and predictable in
its ordering. Recent tests with Gmail prove otherwise in some tests.

This patch changes the system so that only the tagged reference header is
included in the References header, and it will scan all items in a header
(namely the References header) until both the thread and a user are
identified. If a user can be identified, the thread and user are returned.
Otherwise, the first thread hit is returned.

This setting allows administrators to add (uncomment) a MAIL_EOL setting in
the ost-config.php config file to define the line ending used for mail
headers and encoded bodies in outbound mail (SMTP, for instance).

By default, CRLF is used by the SMTP email generator as per the RFC 822
standard. However, many administrators can benefit by setting LF (\n) as the
line ending.

Also, fix duplicate emails where a user as a collaborator would be sent a
confirmation for their own respective email.

On some setups, IE v10 on Windows 7 at least, text added to the Redactor
editor after an image is inserted (via the image popup dialog for instance),
will not be retrieved via the ::get() method and so will not be submitted
with the form submit button.

This patch introduces a workaround by manually calling ::sync() for the
Redactor when the submit button is pressed — just before the form is
submitted.

Turns out the canned response selections for the original message and the
last message were swapped.

Previously, if the quoted response mechanism was disabled, then outgoing
mail would also not include the message-id token. This breaks the
correlation of email to ticket-thread. Now, the message-id token is always
embedded in HTML emails even if the quoted-response removal system is
disabled.

(Turns out that the message-id token was always included in text bodies.)

Previously, if the enduser registration mode were set to something other
than `public`, the agent sign-in link would not be shown. Now, the agent
sign-in link is always shown on the enduser sign-in page.

Thanks for the hint Peter.
Changed it (again) and also tested at our system. /scp/slas.php works as intended - so only the slash "/" before "scp/slas.php" was missing.

Hey again,

just found some other wrong links while I was creating a new ticket filter.

Cheers,
Michael

Hi guys,

here is a catch from the forum: http://osticket.com/forum/discussion/78661/invalid-sla-link-on-popup-help-tips

Since scp/ seems automatically added before slas.php just changed
scp/slas.php to slas.php

Quickly tested it and link works correctly after that little change.

Fix applied to where the value is directly output to browser instead of where fetched in case special chars are allowed in `code_name`, which may break logic prior to output.

Also add a drop-down list of common links include ticket links and login
pages for both agents and end users.

Add other locations as well a failsafe for the htmlentities() call

Previously, the characters would be removed and the data would be considered
empty which would bypass validation and clear the phone number on save
rather than triggering a validation error.

Send an empty return-path envelope when sending out system alerts. If they
should happen to bounce for any reason, they should not return to the system
and create tickets.

Previously, osTicket introduced the ability to cascade defaults for the
department and priority to the email mail boxes. However, the validation
checks and display fall-backs were never added.

This patch fixes an issue where a fatal error would be triggered if the
current value of a selection field on a custom form was a custom list item
that has since been deleted.

The PHP.ini default is 1440 seconds (24 minutes). This should be configured
to something significantly higher so that the settings in the admin panel
concerning session timeouts are relevant.

Ideally, the settings from the control panel would be used, but currently
there is an inter-dependency between session and config startups.

Names parsed from incoming emails are stored in the database as is. This
pull request addresses potential XSS vulnerability due to improper display
of unsanitized names. Going forward names will be scrubbed on create.