[Rt-commit] rt branch, 4.4/insert-raw-html-articles, created. rt-4.4.2-226-g2c41132d8
Maureen Mirville
maureen at bestpractical.com
Fri May 4 16:16:04 EDT 2018
The branch, 4.4/insert-raw-html-articles has been created
at 2c41132d84f074f463bb2741b69eba109e77e72d (commit)
- Log -----------------------------------------------------------------
commit 802b20fa2f9eaf57ee9674e3038343e8b39b1b28
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date: Thu May 3 09:34:38 2018 -0400
Add option to disable escaping HTML in articles
Fixes: I#32374
diff --git a/share/html/Admin/Articles/Classes/Modify.html b/share/html/Admin/Articles/Classes/Modify.html
index ef3f50317..f69a1601d 100644
--- a/share/html/Admin/Articles/Classes/Modify.html
+++ b/share/html/Admin/Articles/Classes/Modify.html
@@ -92,6 +92,10 @@
<input type="checkbox" id="Include-Summary" name="Include-Summary" value="1" <% $include{Summary} %>>
<label for="Include-Summary"><&|/l&>Include article summary</&></label>
</li>
+<li>
+ <input type="checkbox" id="Include-EscapeHTML" name="Include-EscapeHTML" value="1" <% $include{EscapeHTML} %>>
+ <label for="Include-EscapeHTML"><&|/l&>Escape HTML (Unchecking this box is potentially unsafe)</&></label>
+</li>
% if ( $cfs ) {
% while (my $cf = $cfs->Next) {
<li><&|/l, $cf->Name &>Include custom field '[_1]'</&>
@@ -187,7 +191,7 @@ if ((defined $Enabled && $Enabled == 1) or (not defined $Enabled and $Create)) {
$Disabled = 1;
}
-my %include = (Name => 1, Summary => 1);
+my %include = (Name => 1, Summary => 1, EscapeHTML => 1);
my $subject_cfs = [];
my $subject_cf_labels = {};
diff --git a/share/html/Articles/Article/Elements/Preformatted b/share/html/Articles/Article/Elements/Preformatted
index 74e5af058..a39927492 100644
--- a/share/html/Articles/Article/Elements/Preformatted
+++ b/share/html/Articles/Article/Elements/Preformatted
@@ -84,7 +84,7 @@
% }
<%init>
my $class = $Article->ClassObj;
-my %include = (Name => 1, Summary => 1);
+my %include = (Name => 1, Summary => 1, EscapeHTML => 1);
my $cfs = $class->ArticleCustomFields;
$include{"CF-Title-".$_->Id} = $include{"CF-Value-".$_->Id} = 1 while $_ = $cfs->Next;
$include{$_} = not $class->FirstAttribute("Skip-$_") for keys %include;
@@ -102,6 +102,7 @@ my $get_content = sub {
content => \$content,
);
+ return $content unless $include{'EscapeHTML'};
if ( $content =~ /<.{1,5}>/ ) {
$content = RT::Interface::Email::ConvertHTMLToText( $content );
}
commit 2c41132d84f074f463bb2741b69eba109e77e72d
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date: Fri May 4 16:01:13 2018 -0400
Updated Articles docs to include disabling escaped HTML
diff --git a/docs/customizing/articles_introduction.pod b/docs/customizing/articles_introduction.pod
index 363a3859d..09b42d531 100644
--- a/docs/customizing/articles_introduction.pod
+++ b/docs/customizing/articles_introduction.pod
@@ -111,6 +111,27 @@ Articles can be included by searching for them, knowing the Id of the
article, using the Article Hotlist and using the Queue-specific
dropdown.
+=head3 Disabling Escaped HTML
+
+By default, when an article is inserted into the ticket message box,
+as a security measure, HTML tags are escaped and only text is displayed.
+For example, RT will display "Me You Greeting Hello world!" from the
+following XML:
+
+ <?xml version="1.0" encoding="UTF-8"?>
+ <note>
+ <to>Me</to>
+ <from>You</from>
+ <heading>Greeting</heading>
+ <body>Hello world!</body>
+ </note>
+
+In cases as above, where the content is harmless and displaying it on the
+ticket might be necessary, there is an option to disable escaping these
+tags per article class. This can be done by unchecking the "Escape HTML"
+box on the Modify Class page. Please note this is potentially unsafe and
+its use should be limited to trusted administrators.
+
=head2 Queue-Specific List of Articles
You can use Topics to organize a set of Queue-specific Articles.
-----------------------------------------------------------------------
More information about the rt-commit
mailing list