[Rt-commit] rt branch, 4.4-trunk, updated. rt-4.4.2-231-gca3cf1a13

? sunnavy sunnavy at bestpractical.com
Fri May 4 16:41:01 EDT 2018 

The branch, 4.4-trunk has been updated
       via  ca3cf1a13a9c6561257f5965775586d2bec304e8 (commit)
       via  da9dfe72e66c46bc599542e69f84b5d72d7fb9f7 (commit)
       via  9d4d692282e205345b62aa3f81e64cd7bf97ac84 (commit)
      from  4e6b89abb661379a0827680aca288b896a09bf5c (commit)

Summary of changes:
 docs/customizing/articles_introduction.pod        | 21 +++++++++++++++++++++
 share/html/Admin/Articles/Classes/Modify.html     |  6 +++++-
 share/html/Articles/Article/Elements/Preformatted |  4 ++--
 3 files changed, 28 insertions(+), 3 deletions(-)

- Log -----------------------------------------------------------------
commit 9d4d692282e205345b62aa3f81e64cd7bf97ac84
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Thu May 3 09:34:38 2018 -0400

    Add option to disable escaping HTML in articles
    
    Fixes: I#32374

diff --git a/share/html/Admin/Articles/Classes/Modify.html b/share/html/Admin/Articles/Classes/Modify.html
index ef3f50317..f69a1601d 100644
--- a/share/html/Admin/Articles/Classes/Modify.html
+++ b/share/html/Admin/Articles/Classes/Modify.html
@@ -92,6 +92,10 @@
     <input type="checkbox" id="Include-Summary" name="Include-Summary" value="1" <% $include{Summary} %>>
     <label for="Include-Summary"><&|/l&>Include article summary</&></label>
 </li>
+<li>
+     <input type="checkbox" id="Include-EscapeHTML" name="Include-EscapeHTML" value="1" <% $include{EscapeHTML} %>>
+     <label for="Include-EscapeHTML"><&|/l&>Escape HTML (Unchecking this box is potentially unsafe)</&></label>
+</li>
 % if ( $cfs ) {
 % while (my $cf = $cfs->Next) {
 <li><&|/l, $cf->Name &>Include custom field '[_1]'</&>
@@ -187,7 +191,7 @@ if ((defined $Enabled && $Enabled == 1) or (not defined $Enabled and $Create)) {
     $Disabled = 1;
 }
 
-my %include = (Name => 1, Summary => 1);
+my %include = (Name => 1, Summary => 1, EscapeHTML => 1);
 my $subject_cfs = [];
 my $subject_cf_labels = {};
 
diff --git a/share/html/Articles/Article/Elements/Preformatted b/share/html/Articles/Article/Elements/Preformatted
index 74e5af058..997c4cd29 100644
--- a/share/html/Articles/Article/Elements/Preformatted
+++ b/share/html/Articles/Article/Elements/Preformatted
@@ -84,7 +84,7 @@
 % }
 <%init>
 my $class = $Article->ClassObj;
-my %include = (Name => 1, Summary => 1);
+my %include = (Name => 1, Summary => 1, EscapeHTML => 1);
 my $cfs = $class->ArticleCustomFields;
 $include{"CF-Title-".$_->Id} = $include{"CF-Value-".$_->Id} = 1 while $_ = $cfs->Next;
 $include{$_} = not $class->FirstAttribute("Skip-$_") for keys %include;
@@ -102,7 +102,7 @@ my $get_content = sub {
         content => \$content,
     );
 
-    if ( $content =~ /<.{1,5}>/ ) {
+    if ( $include{'EscapeHTML'} && $content =~ /<.{1,5}>/ ) {
         $content = RT::Interface::Email::ConvertHTMLToText( $content );
     }
     return $content;

commit da9dfe72e66c46bc599542e69f84b5d72d7fb9f7
Author: Maureen E. Mirville <maureen at bestpractical.com>
Date:   Fri May 4 16:01:13 2018 -0400

    Updated Articles docs to include disabling escaped HTML

diff --git a/docs/customizing/articles_introduction.pod b/docs/customizing/articles_introduction.pod
index 363a3859d..09b42d531 100644
--- a/docs/customizing/articles_introduction.pod
+++ b/docs/customizing/articles_introduction.pod
@@ -111,6 +111,27 @@ Articles can be included by searching for them, knowing the Id of the
 article, using the Article Hotlist and using the Queue-specific
 dropdown.
 
+=head3 Disabling Escaped HTML
+
+By default, when an article is inserted into the ticket message box,
+as a security measure, HTML tags are escaped and only text is displayed.
+For example, RT will display "Me You Greeting Hello world!" from the
+following XML:
+
+  <?xml version="1.0" encoding="UTF-8"?>
+  <note>
+    <to>Me</to>
+    <from>You</from>
+    <heading>Greeting</heading>
+    <body>Hello world!</body>
+  </note>
+
+In cases as above, where the content is harmless and displaying it on the
+ticket might be necessary, there is an option to disable escaping these
+tags per article class. This can be done by unchecking the "Escape HTML"
+box on the Modify Class page. Please note this is potentially unsafe and
+its use should be limited to trusted administrators.
+
 =head2 Queue-Specific List of Articles 
 
 You can use Topics to organize a set of Queue-specific Articles.

commit ca3cf1a13a9c6561257f5965775586d2bec304e8
Merge: 4e6b89abb da9dfe72e
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Sat May 5 04:24:50 2018 +0800

    Merge branch '4.4/insert-raw-html-articles' into 4.4-trunk


-----------------------------------------------------------------------

More information about the rt-commit mailing list