[rt-users] html only message do not display in RT
Ruslan U. Zakirov
cubic at acronis.ru
Tue Dec 9 13:01:04 EST 2003
Jesse Vincent wrote:
>
>
> On Tue, Dec 09, 2003 at 10:41:30AM -0700, Michael D. Richards wrote:
>
>>Using RT 3.0.6, Apache 1.3.28.
>>
>>If a single part html message arrives, RT does not display the body of
>>that message in the ticket. Even something as simple as the following
>>will not display:
>
>
> Displaying html content inline opens us up to cross-site scripting
> attacks. A malicious end-user could send in mail which contained
> javascript which resolved all your tickets and then sent out spam to
> each and every one of them using RT. If you click on the link to the
> right, you can download the html message marked as plain text.
>
> RT 3.0.7 has a better message when this happens.
Hello, Jesse and Michael
I've posted simple patch that use HTML::Scrubber to convert HTML to
plain text. It's useable and could be changed to produce HTML scrubbered
from JS or other active objects.
I can do this patch more nice if you will agree merge it in other case
it's enought for our users.
Patch attached.
Best regards. Ruslan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rt3.html_display.patch
Type: application/aegis-patch
Size: 2516 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20031209/520961ea/attachment.bin>
More information about the rt-users
mailing list