[Rt-commit] rt branch, 4.4/insert-raw-html-articles, created. rt-4.4.2-226-g2c41132d8

Maureen Mirville maureen at bestpractical.com
Fri May 4 16:16:04 EDT 2018


The branch, 4.4/insert-raw-html-articles has been created
        at  2c41132d84f074f463bb2741b69eba109e77e72d (commit)

- Log -----------------------------------------------------------------
commit 802b20fa2f9eaf57ee9674e3038343e8b39b1b28
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Thu May 3 09:34:38 2018 -0400

    Add option to disable escaping HTML in articles
    
    Fixes: I#32374

diff --git a/share/html/Admin/Articles/Classes/Modify.html b/share/html/Admin/Articles/Classes/Modify.html
index ef3f50317..f69a1601d 100644
--- a/share/html/Admin/Articles/Classes/Modify.html
+++ b/share/html/Admin/Articles/Classes/Modify.html
@@ -92,6 +92,10 @@
     <input type="checkbox" id="Include-Summary" name="Include-Summary" value="1" <% $include{Summary} %>>
     <label for="Include-Summary"><&|/l&>Include article summary</&></label>
 </li>
+<li>
+     <input type="checkbox" id="Include-EscapeHTML" name="Include-EscapeHTML" value="1" <% $include{EscapeHTML} %>>
+     <label for="Include-EscapeHTML"><&|/l&>Escape HTML (Unchecking this box is potentially unsafe)</&></label>
+</li>
 % if ( $cfs ) {
 % while (my $cf = $cfs->Next) {
 <li><&|/l, $cf->Name &>Include custom field '[_1]'</&>
@@ -187,7 +191,7 @@ if ((defined $Enabled && $Enabled == 1) or (not defined $Enabled and $Create)) {
     $Disabled = 1;
 }
 
-my %include = (Name => 1, Summary => 1);
+my %include = (Name => 1, Summary => 1, EscapeHTML => 1);
 my $subject_cfs = [];
 my $subject_cf_labels = {};
 
diff --git a/share/html/Articles/Article/Elements/Preformatted b/share/html/Articles/Article/Elements/Preformatted
index 74e5af058..a39927492 100644
--- a/share/html/Articles/Article/Elements/Preformatted
+++ b/share/html/Articles/Article/Elements/Preformatted
@@ -84,7 +84,7 @@
 % }
 <%init>
 my $class = $Article->ClassObj;
-my %include = (Name => 1, Summary => 1);
+my %include = (Name => 1, Summary => 1, EscapeHTML => 1);
 my $cfs = $class->ArticleCustomFields;
 $include{"CF-Title-".$_->Id} = $include{"CF-Value-".$_->Id} = 1 while $_ = $cfs->Next;
 $include{$_} = not $class->FirstAttribute("Skip-$_") for keys %include;
@@ -102,6 +102,7 @@ my $get_content = sub {
         content => \$content,
     );
 
+    return $content unless $include{'EscapeHTML'};
     if ( $content =~ /<.{1,5}>/ ) {
         $content = RT::Interface::Email::ConvertHTMLToText( $content );
     }

commit 2c41132d84f074f463bb2741b69eba109e77e72d
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Fri May 4 16:01:13 2018 -0400

    Updated Articles docs to include disabling escaped HTML

diff --git a/docs/customizing/articles_introduction.pod b/docs/customizing/articles_introduction.pod
index 363a3859d..09b42d531 100644
--- a/docs/customizing/articles_introduction.pod
+++ b/docs/customizing/articles_introduction.pod
@@ -111,6 +111,27 @@ Articles can be included by searching for them, knowing the Id of the
 article, using the Article Hotlist and using the Queue-specific
 dropdown.
 
+=head3 Disabling Escaped HTML
+
+By default, when an article is inserted into the ticket message box,
+as a security measure, HTML tags are escaped and only text is displayed.
+For example, RT will display "Me You Greeting Hello world!" from the
+following XML:
+
+  <?xml version="1.0" encoding="UTF-8"?>
+  <note>
+    <to>Me</to>
+    <from>You</from>
+    <heading>Greeting</heading>
+    <body>Hello world!</body>
+  </note>
+
+In cases as above, where the content is harmless and displaying it on the
+ticket might be necessary, there is an option to disable escaping these
+tags per article class. This can be done by unchecking the "Escape HTML"
+box on the Modify Class page. Please note this is potentially unsafe and
+its use should be limited to trusted administrators.
+
 =head2 Queue-Specific List of Articles 
 
 You can use Topics to organize a set of Queue-specific Articles.

-----------------------------------------------------------------------


More information about the rt-commit mailing list