[rt-users] Inline screenshots
Ruslan Zakirov
ruz at bestpractical.com
Thu Jul 19 17:12:24 EDT 2012
On Thu, Jul 19, 2012 at 11:44 PM, Florin Andrei <florin at andrei.myip.org> wrote:
> On 07/19/2012 03:59 AM, Rémi wrote:
>>
>>
>> I got this working in RT 3.8.8 with modifying /Elements/SrubHTML to
>> authorize IMG elements and src attribute. After that you can see
>> inline images in ticket history.
>> In RT4, SrubHTML have been moved to /RT/Interface/Web.pm
>
>
> In RT4, I did this:
>
> --- Web.pm.old 2012-07-19 13:31:31.220050969 -0700
> +++ Web.pm 2012-07-19 13:32:10.034169941 -0700
> @@ -2867,7 +2867,7 @@
> );
> $scrubber->deny(qw[*]);
> $scrubber->allow(
> - qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE]
> + qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE IMG SRC]
> );
> $scrubber->comment(0);
>
> But if I include a link to an image in a ticket, all I get is the URL
> displayed as text:
>
> http://www.site.com/image.jpg
>
> Does the message need to be formatted as HTML to begin with?
Note that such change introduces security vulnerability that is easily
exploitable. People can insert URLs into img's src attribute that
point to RT itself and do some actions on behalf of the user who is
looking at the ticket.
> --
> Florin Andrei
> http://florin.myip.org/
--
Best regards, Ruslan.
More information about the rt-users
mailing list