[rt-devel] HTML on ShowTransaction for Explorer.

[Jesse Vincent]

The problem with automatically displaying html messages is that it makes
it trivial for a malicious user to take control of your RT session.  
Because of the security implications, It's not something I'm really 
willing to add to RT.


On Fri, Aug 24, 2001 at 05:41:59PM -0300, Saverio Palmieri Neto wrote:
> Hello everybody,
> 
> 	We receive a lot of messages in HTML and it's unconfortable to have to open
> those by download link. We did a small change on the
> Ticket/Elements/ShowTransaction file allowing HTML message display inside a
> IFrame. Our intranet system is enterely based on explorer browser soo we
> dont care about netscape compatibility.
> 
> 	At the end of the message you will find the piece of code already changed.
> Hope this can be usefull to anyone else, and if someone can make this
> Netscape friendly, maybe Jesse can add this a new option to the official
> release.
> 
> 	Best regards,
> 
> 		Saverio.
> 
> % # 13456 is a random # of about the biggest size we'd want to see inline
> text
> % if ($message->ContentType =~ m{^(text/plain|message|text$)}i &&
> length($message->Content)<13456) {
> % #TODO We're now HTML escaping the message content, but should
> % #TODO probably deal with converting links
> <pre><% $message->Content %></pre>
> 
> % ### HTML message display inside an IFrame.
> %  } elsif ($message->ContentType =~ m{^(text/html$)}i &&
> length($message->Content)<13456) {
>   <iframe width="100%" height=300
> src="Attachment/<%$Transaction->Id%>/<%$message->Id%>/<%message->Filename%>"
> ></iframe>
> % ###
> 
> %  } elsif ($message->ContentType =~ m{^multipart}) {
> <i>This is a multipart message</i>
> % }
> 
> 
> _______________________________________________
> rt-devel mailing list
> rt-devel at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-devel
> 

-- 
http://www.bestpractical.com/products/rt  -- Trouble Ticketing. Free.