From f102bd3a59e947df03320861e4330213fe014da0 Mon Sep 17 00:00:00 2001
From: Yasith Fernando <thekindofme@gmail.com>
Date: Mon, 22 Jun 2020 13:16:58 +1000
Subject: [PATCH] Escape user input when generating autocompelete list HTML to
 avoid XSS attacks

---
 .../Zendesk/controllers/Adminhtml/ZendeskController.php     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php b/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php
index c947be74..5b2757c7 100644
--- a/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php
+++ b/src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php
@@ -417,9 +417,9 @@ public function autocompleteAction()
         $output = '<ul>';
         if($customers->getSize()) {
             foreach($customers as $customer) {
-                $id = $customer->getId();
-                $name = $customer->getName();
-                $email = $customer->getEmail();
+                $id = htmlspecialchars($customer->getId(), ENT_COMPAT, 'UTF-8');
+                $name = htmlspecialchars($customer->getName(), ENT_COMPAT, 'UTF-8');
+                $email = htmlspecialchars($customer->getEmail(), ENT_COMPAT, 'UTF-8');
                 $output .= '<li id="customer-' . $id . '" data-email="' . $email . '" data-name="' . $name . '">' . $name . ' &lt;' . $email . '&gt;</li>';
             }
         }