[rt-users] Editing /opt/rt4/share/html/Ticket/Elements/ShowTransactionAttachments to show HTML in display ticket body breaks RT interface.

[Kevin Falcone]

On Wed, Apr 11, 2012 at 10:17:50AM +0700, Luong Bui Duc wrote:
> I'm trying to set RT so it shows the HTML tables/hyperlinks directly in
> Display ticket page. My RT_SiteConfig.pm includes PreferRichText &
> TrustHTMLAttachments 1, but that only seems to work when user downloads
> ticket as attachment. I edited some code in this file:
> 
> /opt/rt4/share/html/Ticket/Elements/ShowTransactionAttachments
> 
> uncommented these 2 lines:
> 
> Line 209: #$content = $m->comp( '/Elements/ScrubHTML', Content => $content
> );
> Line 230: #$content = $m->comp( '/Elements/ScrubHTML', Content => $content
> );
> 
> This seems to do the trick, but interface of RT has changed too, now
> buttons are underlined and labels are in blue color as hyperlinks.
> 
> Please let me know what is the proper way to achieve this without breaking
> RT?

You've now opened yourself up to a ton of attack vectors by removing
the scrubbing.  PreferRichText is the correct way to do what you want,
if you need to allow certain pieces of HTML through that are currently
scrubbed, you can cleanly add to the ScrubHTML method in Web.pm using
the standard override techniques.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120411/bb20d762/attachment.sig>