if ($bConvert) { $bVarsFromForm = true; } else { if ($bProcessPost) { $bVarsFromForm = true; if (isset($_POST['save']) || isset($_POST['saveAndView']) || isset($_POST['saveAndAdd']) || isset($_POST['apply']) || $bAjaxSubmit) { //Check entities access --> $quoteID = isset($_POST['UF_QUOTE_ID']) ? intval($_POST['UF_QUOTE_ID']) : 0; if ($quoteID > 0 && !CCrmQuote::CheckReadPermission($quoteID)) { $quoteID = 0; } $dealID = isset($_POST['UF_DEAL_ID']) ? intval($_POST['UF_DEAL_ID']) : 0; if ($dealID > 0 && !CCrmDeal::CheckReadPermission($dealID)) { $dealID = 0; } $info = CCrmInvoice::__GetCompanyAndContactFromPost($_POST); $companyID = $info['COMPANY']; if ($companyID > 0 && !CCrmCompany::CheckReadPermission($companyID)) { $companyID = 0; } $contactID = $info['CONTACT']; if ($contactID > 0 && !CCrmContact::CheckReadPermission($contactID)) { $contactID = 0; } unset($info); //<-- Check entities access $comments = trim($_POST['COMMENTS']); $bSanitizeComments = $comments !== '' && strpos($comments, '<'); $userDescription = trim($_POST['USER_DESCRIPTION']); $bSanitizeUserDescription = $userDescription !== '' && strpos($userDescription, '<'); if ($bSanitizeComments || $bSanitizeUserDescription) {