From 5c122df2677904c47eae4cd81a8a7d6a95f21059 Mon Sep 17 00:00:00 2001
From: Ahmad Gneady <support@bigprof.com>
Date: Sat, 3 Jul 2021 17:46:35 +0200
Subject: [PATCH] Fix stored xss in nicedit

---
 app/invoices_dml.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/invoices_dml.php b/app/invoices_dml.php
index fa34d32..d24789d 100644
--- a/app/invoices_dml.php
+++ b/app/invoices_dml.php
@@ -573,7 +573,7 @@ function client_reload__RAND__() {
 		$templateCode = str_replace('<%%VALUE(total)%%>', safe_html($urow['total']), $templateCode);
 		$templateCode = str_replace('<%%URLVALUE(total)%%>', urlencode($urow['total']), $templateCode);
 		if($AllowUpdate || $AllowInsert) {
-			$templateCode = str_replace('<%%HTMLAREA(comments)%%>', '<textarea name="comments" id="comments" rows="5">' . html_attr($row['comments']) . '</textarea>', $templateCode);
+			$templateCode = str_replace('<%%HTMLAREA(comments)%%>', '<textarea name="comments" id="comments" rows="5">' . safe_html(htmlspecialchars_decode($row['comments'])) . '</textarea>', $templateCode);
 		} else {
 			$templateCode = str_replace('<%%HTMLAREA(comments)%%>', '<div id="comments" class="form-control-static">' . $row['comments'] . '</div>', $templateCode);
 		}