[rt-users] html only message do not display in RT

Ruslan U. Zakirov cubic at acronis.ru
Tue Dec 9 13:01:04 EST 2003


Jesse Vincent wrote:
> 
> 
> On Tue, Dec 09, 2003 at 10:41:30AM -0700, Michael D. Richards wrote:
> 
>>Using RT 3.0.6, Apache 1.3.28.
>>
>>If a single part html message arrives, RT does not display the body of 
>>that message in the ticket. Even something as simple as the following 
>>will not display:
> 
> 
> Displaying html content inline opens us up to cross-site scripting
> attacks. A malicious end-user could send in mail which contained
> javascript which resolved all your tickets and then sent out spam to
> each and every one of them using RT.  If you click on the link to the
> right, you can download the html message marked as plain text.
> 
> RT 3.0.7 has a better message when this happens.
		Hello, Jesse and Michael
I've posted simple patch that use HTML::Scrubber to convert HTML to 
plain text. It's useable and could be changed to produce HTML scrubbered 
from JS or other active objects.

I can do this patch more nice if you will agree merge it in other case 
it's enought for our users.

Patch attached.
			Best regards. Ruslan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rt3.html_display.patch
Type: application/aegis-patch
Size: 2516 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20031209/520961ea/attachment.bin>


More information about the rt-users mailing list