[rt-users] html only message do not display in RT

Jesse Vincent jesse at bestpractical.com
Tue Dec 9 12:43:29 EST 2003




On Tue, Dec 09, 2003 at 10:41:30AM -0700, Michael D. Richards wrote:
> Using RT 3.0.6, Apache 1.3.28.
> 
> If a single part html message arrives, RT does not display the body of 
> that message in the ticket. Even something as simple as the following 
> will not display:

Displaying html content inline opens us up to cross-site scripting
attacks. A malicious end-user could send in mail which contained
javascript which resolved all your tickets and then sent out spam to
each and every one of them using RT.  If you click on the link to the
right, you can download the html message marked as plain text.

RT 3.0.7 has a better message when this happens.

	-j

-- 
http://www.bestpractical.com/rt  -- Trouble Ticketing. Free.



More information about the rt-users mailing list