[rt-devel] Link in transaction descriptions?
jcharaoui at cmaisonneuve.qc.ca
Thu Nov 8 12:22:10 EST 2012
Le 2012-11-06 14:53, Kevin Falcone a écrit :
> While it's possible to change BriefDescription in RT::Transaction to
> do that (or even to use the ModifyDisplay callback to add it in later)
> the problem is that the transaction description is passed through
> Mason's HTML escaper, and the link wouldn't work. We could turn that
> off, but it would require effort to ensure that no security bugs
> (displaying user entered info unescaped) are added.
Thanks for taking the time to reply.
I understand the concern. Extra care should indeed be taken when
changing something that could introduce security issues.
Another way to deal with this in a more concise way could be to add a
property to RT:Transaction (ie BriefDescriptionLink) which would contain
an RT-built URL. In the case of a ticket relationships transaction, it
could contain the URL of the related ticket.
Then it would simply be a matter of adjusting the ShowTransaction
template to check for BriefDescriptionLink and, if non-empty, wrap $desc
entirely with an anchor tag with the url parameter set to
BriefDescriptionLink. This way BriefDescription would remain
HTML-escaped at all times.
What do you think?
More information about the rt-devel