[rt-devel] Link in transaction descriptions?

Jérôme Charaoui jcharaoui at cmaisonneuve.qc.ca
Thu Nov 8 12:22:10 EST 2012

Le 2012-11-06 14:53, Kevin Falcone a écrit :
> While it's possible to change BriefDescription in RT::Transaction to
> do that (or even to use the ModifyDisplay callback to add it in later)
> the problem is that the transaction description is passed through
> Mason's HTML escaper, and the link wouldn't work.  We could turn that
> off, but it would require effort to ensure that no security bugs
> (displaying user entered info unescaped) are added.

Thanks for taking the time to reply.

I understand the concern. Extra care should indeed be taken when 
changing something that could introduce security issues.

Another way to deal with this in a more concise way could be to add a 
property to RT:Transaction (ie BriefDescriptionLink) which would contain 
an RT-built URL. In the case of a ticket relationships transaction, it 
could contain the URL of the related ticket.

Then it would simply be a matter of adjusting the ShowTransaction 
template to check for BriefDescriptionLink and, if non-empty, wrap $desc 
entirely with an anchor tag with the url parameter set to 
BriefDescriptionLink. This way BriefDescription would remain 
HTML-escaped at all times.

What do you think?

More information about the rt-devel mailing list