From cc509874e70ec984340742605c2e914858fbc93f Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sun, 5 Apr 2026 18:21:54 -0400
Subject: [PATCH] Fix incomplete HTML escaping in reply textarea (ticket.js)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Line 1575 used .replace(/</g, '&lt;').replace(/>/g, '&gt;') to set
the comment-raw edit textarea content, missing '&' → '&amp;'. Replaced
with lt.escHtml() which escapes all five special HTML characters (&, <,
>, ", ') consistently with the rest of the codebase.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 assets/js/ticket.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/js/ticket.js b/assets/js/ticket.js
index d2ca407..790e199 100644
--- a/assets/js/ticket.js
+++ b/assets/js/ticket.js
@@ -1572,7 +1572,7 @@ function submitReply(parentCommentId) {
                         <div class="comment-text" id="comment-text-${data.comment_id}" ${isMarkdownEnabled ? 'data-markdown' : ''}>
                             ${displayText}
                         </div>
-                        <textarea class="comment-edit-raw is-hidden" id="comment-raw-${data.comment_id}">${commentText.replace(/</g, '&lt;').replace(/>/g, '&gt;')}</textarea>
+                        <textarea class="comment-edit-raw is-hidden" id="comment-raw-${data.comment_id}">${lt.escHtml(commentText)}</textarea>
                     </div>
                 `;