[rt-devel] Link in transaction descriptions?

Kevin Falcone falcone at bestpractical.com
Thu Dec 27 14:21:03 EST 2012


On Thu, Nov 08, 2012 at 12:22:10PM -0500, Jérôme Charaoui wrote:
> Le 2012-11-06 14:53, Kevin Falcone a écrit :
> >While it's possible to change BriefDescription in RT::Transaction to
> >do that (or even to use the ModifyDisplay callback to add it in later)
> >the problem is that the transaction description is passed through
> >Mason's HTML escaper, and the link wouldn't work.  We could turn that
> >off, but it would require effort to ensure that no security bugs
> >(displaying user entered info unescaped) are added.
> 
> Thanks for taking the time to reply.
> 
> I understand the concern. Extra care should indeed be taken when
> changing something that could introduce security issues.
> 
> Another way to deal with this in a more concise way could be to add
> a property to RT:Transaction (ie BriefDescriptionLink) which would
> contain an RT-built URL. In the case of a ticket relationships
> transaction, it could contain the URL of the related ticket.
> 
> Then it would simply be a matter of adjusting the ShowTransaction
> template to check for BriefDescriptionLink and, if non-empty, wrap
> $desc entirely with an anchor tag with the url parameter set to
> BriefDescriptionLink. This way BriefDescription would remain
> HTML-escaped at all times.

A branch called 4.2/html-transaction-descriptions was recently merged
to master and will be included in 4.2.0 which has this and many other
links.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20121227/58fc2696/attachment.pgp>


More information about the rt-devel mailing list