Fix watcher self-notification, unescaped output in views

- NotificationHelper::notifyWatchers: excludeUserId parameter was accepted but never used; actors were notified of their own actions. Fix: add AND tw.user_id != ? clause to watcher query when exclusion is requested. - TicketView.php: formatAction() default case returned raw $event['action_type'] unescaped into HTML context. Fix: wrap with htmlspecialchars(). - Admin views: field_id, recurring_id, template_id, transition_id in data-id attributes were uncast; field_type was unescaped in CustomFieldsView; from/to_status slugs derived from DB values were used directly in class attributes in WorkflowDesignerView. Fix: (int) cast for IDs, htmlspecialchars for field_type, preg_replace to sanitize DB-derived CSS class slugs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-11 20:41:09 -04:00
parent 3c7b3475e4
commit 2d6b2b8058
6 changed files with 22 additions and 16 deletions
@@ -56,9 +56,9 @@ include __DIR__ . '/../../views/layout_header.php';
              <td data-label="Actions">
                <div class="lt-btn-group">
                  <button type="button" class="lt-btn lt-btn-sm"
-                          data-action="edit-template" data-id="<?= $tpl['template_id'] ?>">EDIT</button>
+                          data-action="edit-template" data-id="<?= (int)$tpl['template_id'] ?>">EDIT</button>
                  <button type="button" class="lt-btn lt-btn-sm lt-btn-danger"
-                          data-action="delete-template" data-id="<?= $tpl['template_id'] ?>">DEL</button>
+                          data-action="delete-template" data-id="<?= (int)$tpl['template_id'] ?>">DEL</button>
                </div>
              </td>
            </tr>