[rt-users] view original html attachment?
Adam Thompson
athompso at athompso.net
Tue Jun 28 23:29:33 EDT 2011
> Displaying as unsanitized HTML is a security risk that allows
> cross-site scripting attacks. If you really want to, you can set
> the option below.
> From etc/RT_Config.pm:
>
> =item C<$TrustHTMLAttachments>
>
> If C<TrustHTMLAttachments> is not defined, we will display them as
> text. This prevents malicious HTML and JavaScript from being sent
> in a request (although there is probably more to it than that)
>
> =cut
>
> Set($TrustHTMLAttachments, undef);
>
> Thomas
That does pretty much exactly what I wanted, thank you. I misinterpreted
that option, I thought what it affected was the sanitized HTML display in
the ticket history... The description for the option makes sense, once
you remember that all HTML email is actually an unnamed MIME part, treated
as an "attachment" in the underlying mail-processing code.
I would suggest editing RT_Config.pm as so:
Always download attachments, regardless of content type. If set, this
- overrides C<TrustHTMLAttachments>.
+ overrides C<TrustHTMLAttachments>. See also PreferRichText for the
+ display of HTML content in ticket history.
to make that just a little bit clearer.
Thank you for the pointer,
-Adam Thompson
athompso at athompso.net
(204) 291-7950 - direct
(204) 489-6515 - fax
More information about the rt-users
mailing list