Merge pull request #51 from max-mi/master

XSS & Blank page fix.

Author: Jason Smale

src/app/code/community/Zendesk/Zendesk/Block/Adminhtml/Create/Edit/Form.php

@@ -116,8 +116,11 @@ protected function _prepareForm()
             'title'    => Mage::helper('zendesk')->__('Description'),
             'required' => true
         ));
+        
+        if (Mage::registry('zendesk_create_data')) {
+            $form->setValues(Mage::registry('zendesk_create_data'));
+        }
 
-        $form->setValues(Mage::registry('zendesk_create_data'));
         $form->setUseContainer(true);
         $form->setMethod('post');
         $this->setForm($form);

src/app/code/community/Zendesk/Zendesk/Helper/Data.php

@@ -120,7 +120,9 @@ public function getZendeskUnauthUrl()
     {
         $protocol = 'https://';
         $domain = $this->getZendeskDomain();
-        $route = '/access/unauthenticated';
+        //Zendesk will automatically redirect to login if user is not logged in
+        //previous URL followed to login page even if user has already logged in
+        $route = '/home';
 
         return $protocol . $domain . $route;
     }
@@ -279,7 +281,7 @@ public function getTicketUrl($row, $link = false)
 
         $subject = $row['subject'] ? $row['subject'] : $this->__('No Subject');
 
-        return '<a href="' . $url . '" target="_blank">' .  $subject. '</a>';
+        return '<a href="' . $url . '" target="_blank">' .  Mage::helper('core')->escapeHtml($subject) . '</a>';
     }
 
     public function getStatusMap()

src/app/code/community/Zendesk/Zendesk/controllers/Adminhtml/ZendeskController.php

@@ -98,7 +98,7 @@ public function authenticateAction()
 
         $user = Mage::getSingleton('admin/session')->getUser();
         $name = $user->getName();
-        $email = $user->getEmail();
+        $email = Mage::getStoreConfig('zendesk/general/email');
         $externalId = $user->getId();
 
         $payload = array(
@@ -107,7 +107,7 @@ public function authenticateAction()
             "name" => $name,
             "email" => $email
         );
-
+        
         // Validate if we need to include external_id param
         $externalIdEnabled = Mage::helper('zendesk')->isExternalIdEnabled();
         if($externalIdEnabled) {
@@ -282,9 +282,11 @@ public function saveAction()
             }
 
             try {
+                $admin = Mage::getModel('zendesk/api_users')->me();
                 $ticket = array(
                     'ticket' => array(
                         'requester_id' => $requesterId,
+                        'submitter_id' => $admin['id'],
                         'subject' => $data['subject'],
                         'status' => $data['status'],
                         'priority' => $data['priority'],

src/app/code/community/Zendesk/Zendesk/controllers/SsoController.php

@@ -25,14 +25,14 @@ class Zendesk_Zendesk_SsoController extends Mage_Core_Controller_Front_Action
      */
     public function loginAction()
     {
+        $return_url = Mage::helper('core')->urlDecode($this->getRequest()->getParam('return_url', ""));
         if(!Mage::getStoreConfig('zendesk/sso_frontend/enabled')) {
-            $this->_redirect('/');
+            $this->_redirectUrl($return_url ? $return_url : Mage::helper('zendesk')->getZendeskUnauthUrl());
             return $this;
         }
 
         $domain = Mage::getStoreConfig('zendesk/general/domain');
         $token = Mage::getStoreConfig('zendesk/sso_frontend/token');
-        $return_url = Mage::helper('core')->urlDecode($this->getRequest()->getParam('return_url', ""));
 
         if(!Zend_Validate::is($domain, 'NotEmpty')) {
             Mage::log(Mage::helper('zendesk')->__('Zendesk domain not set. Please add this to the settings page.'), null, 'zendesk.log');