As I modify the basic 1.6 RC3 for our institution, my lead engineer has requested that I ensure that our version of osTicket is checking $_POST and $_GET inputs and sanitizing queries to the database - to prevent cross-site-scripting and other such badness.
This would involve using PHP functions such as strip_tags(), mysql_escape_string(), and mysql_real_escape_string() .
I see that the mysql_*_escape_string() functions are already being used in the db_input() function. Is this function used for all queries to the database?
I also see that there is a function striptags() that is used instead of strip_tags(). It is used in class.ticket.php and other script files to sanitize user input.
Can I report that osTicket 1.6 is using adequate measures against cross-site scripting and bad user input?