Escape potential HTML characters in usernames (ticket collision detection)
This commit is contained in:
Marcus Hill
@@ -190,10 +190,10 @@ if (isset($_GET['ticket_query_views'])) {
|
|||||||
$users = array_unique($users);
|
$users = array_unique($users);
|
||||||
if (count($users) > 1) {
|
if (count($users) > 1) {
|
||||||
// Multiple viewers
|
// Multiple viewers
|
||||||
$response['message'] = implode(", ", $users) . " are viewing this ticket.";
|
$response['message'] = htmlentities(implode(", ", $users) . " are viewing this ticket.");
|
||||||
} else {
|
} else {
|
||||||
// Single viewer
|
// Single viewer
|
||||||
$response['message'] = implode("", $users) . " is viewing this ticket.";
|
$response['message'] = htmlentities(implode("", $users) . " is viewing this ticket.");
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// No viewers
|
// No viewers
|
||||||
|
|||||||
Reference in New Issue
Block a user