Bug report: Links in custom fields

[adridolf]

Script URL:
Version of script: 2.7.5
Hosting company:
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution:
PHP 7.0

Write your message below:
If I use a custom field and enter an URL, it is changed to a hyperlink (<a href="content">content</a>), which is very helpful.

However, if I then edit the ticket, the quotation marks are not escaped and the <a> is corrupting the html (since the "" in the href break the "" of the value="").

This could be treated by correctly escaping/reintroducing the quotes; however, the field would still contain the full html tag. On save, the interpreter may replace the href by <a></a> again messing things up.

Better:
In line 555 of admin/edit_post.php, one could use mb_ereg_replace to just remove the <a> tags again. When saving the content, the link is just recreated again:
<td width="80%"><input type="text" name="'.$k.'" size="40" maxlength="'.intval($v['value']['max_length']).'" value="'.mb_ereg_replace("<[^>]*>","",$v['value']['default_value']).'" '.$cls.' /></td>

This has the advantage of modifying only one line, in contrast to what would be necessary for the escaping solution explained above.

To reproduce, just open a ticket with a link in a custom textline field. Then, open the ticket in admin mode and go to edit...

[Klemen]

Thanks for the report, I confirm this is a bug.

It will be fixed in the next release by passing the value through hesk_msgToPlain function before echoing it.