s.probst/OpenXE
1
0
Fork 0
mirror of https://github.com/OpenXE-org/OpenXE.git synced 2024-11-14 20:17:14 +01:00
Code Issues Projects Releases Wiki Activity

Ticket system bufix escaping of subject text

Browse Source
This commit is contained in:
OpenXE 2023-02-01 09:56:55 +01:00
parent da0b7d2720
commit f0bebba1ff
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
www/pages/ticket.php
View File

@ -744,7 +744,22 @@ class Ticket {
$sql = "INSERT INTO `ticket_nachricht` (
`ticket`, `zeit`, `text`, `betreff`, `medium`, `versendet`,
`verfasser`, `mail`,`status`, `verfasser_replyto`, `mail_replyto`,`mail_cc`
) VALUES ('".$ticket_from_db['schluessel']."',NOW(),'".$anschreiben."','".$betreff."','email','1','".$senderName."','".$to."','neu','".$senderName."','".$senderAddress."','".$cc."');";
) VALUES ('".
$ticket_from_db['schluessel'].
"',NOW(),'".
$this->app->DB->real_escape_string($anschreiben).
"','".
$this->app->DB->real_escape_string($betreff).
"','email','1','".
$this->app->DB->real_escape_string($senderName).
"','".
$this->app->DB->real_escape_string($to).
"','neu','".
$this->app->DB->real_escape_string($senderName).
"','".
$this->app->DB->real_escape_string($senderAddress).
"','".
$this->app->DB->real_escape_string($cc)."');";
$this->app->DB->Insert($sql);
// Show new message dialog
@ -825,7 +840,7 @@ class Ticket {
) {
// Update message in ticket_nachricht
$sql = "UPDATE `ticket_nachricht` SET `zeitausgang` = NOW(), `betreff` = '".$drafted_messages[0]['betreff']."', `verfasser` = '$senderName', `verfasser_replyto` = '$senderName', `mail_replyto` = '$senderAddress' WHERE id = ".$drafted_messages[0]['id'];
$sql = "UPDATE `ticket_nachricht` SET `zeitausgang` = NOW(), `betreff` = '".$this->app->DB->real_escape_string($drafted_messages[0]['betreff'])."', `verfasser` = '$senderName', `verfasser_replyto` = '$senderName', `mail_replyto` = '$senderAddress' WHERE id = ".$drafted_messages[0]['id'];
$this->app->DB->Insert($sql);
$msg .= '<div class="info">Die E-Mail wurde erfolgreich versendet an '.$input['email_an'].'.';