From a98d7ecdd1d036229612ae69109bd799c9f357ad Mon Sep 17 00:00:00 2001
From: Guillermo <guillermo@opensupports.com>
Date: Tue, 16 Jan 2018 01:26:13 -0300
Subject: [PATCH] Add htmlentities to department name

---
 server/controllers/system/add-department.php |  2 +-
 server/controllers/ticket/create.php         | 20 ++++++++++----------
 tests/system/add-department.rb               |  2 +-
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/server/controllers/system/add-department.php b/server/controllers/system/add-department.php
index 0d42846b..7ea0ee14 100755
--- a/server/controllers/system/add-department.php
+++ b/server/controllers/system/add-department.php
@@ -33,7 +33,7 @@ class AddDepartmentController extends Controller {
     }
 
     public function handler() {
-        $name = Controller::request('name');
+        $name = htmlentities(Controller::request('name'));
 
         $departmentInstance = new Department();
 
diff --git a/server/controllers/ticket/create.php b/server/controllers/ticket/create.php
index 891116a0..67dbc123 100755
--- a/server/controllers/ticket/create.php
+++ b/server/controllers/ticket/create.php
@@ -68,7 +68,7 @@ class CreateController extends Controller {
                 ]
             ]
         ];
-        
+
         if(!Controller::isUserSystemEnabled()) {
             $validations['permission'] = 'any';
             $validations['requestData']['captcha'] = [
@@ -80,13 +80,13 @@ class CreateController extends Controller {
                 'error' => ERRORS::INVALID_EMAIL
             ];
         }
-        
+
         return $validations;
     }
 
     public function handler() {
-        $this->title = Controller::request('title');
-        $this->content = Controller::request('content', true);
+        $this->title = htmlentities(Controller::request('title'));
+        $this->content = htmlentities(Controller::request('content', true));
         $this->departmentId = Controller::request('departmentId');
         $this->language = Controller::request('language');
         $this->email = Controller::request('email');
@@ -97,7 +97,7 @@ class CreateController extends Controller {
         if(!Controller::isUserSystemEnabled()) {
             $this->sendMail();
         }
-        
+
         $staffs = Staff::find('send_email_on_new_ticket = 1');
         foreach ($staffs as $staff) {
             if($staff->sharedDepartmentList->includesId(Controller::request('departmentId'))) {
@@ -132,19 +132,19 @@ class CreateController extends Controller {
             'authorName' => $this->name,
             'authorEmail' => $this->email
         ));
-        
+
         if(Controller::isUserSystemEnabled()) {
             $author->sharedTicketList->add($ticket);
             $author->tickets++;
-            
+
             $this->email = $author->email;
             $this->name = $author->name;
 
-            $author->store(); 
+            $author->store();
         }
-        
+
         $ticket->store();
-        
+
         $this->ticketNumber = $ticket->ticketNumber;
     }
 
diff --git a/tests/system/add-department.rb b/tests/system/add-department.rb
index a4613026..4da2044b 100644
--- a/tests/system/add-department.rb
+++ b/tests/system/add-department.rb
@@ -30,7 +30,7 @@ describe'system/add-department' do
 
             row = $database.getRow('department', 5, 'id')
 
-            (row['name']).should.equal('<b>new department</b>')
+            (row['name']).should.equal('&lt;b&gt;new department&lt;/b&gt;')
 
             lastLog = $database.getLastRow('log')
             (lastLog['type']).should.equal('ADD_DEPARTMENT')