[rt-users] Inline screenshots

Ruslan Zakirov ruz at bestpractical.com
Thu Jul 19 17:12:24 EDT 2012


On Thu, Jul 19, 2012 at 11:44 PM, Florin Andrei <florin at andrei.myip.org> wrote:
> On 07/19/2012 03:59 AM, Rémi wrote:
>>
>>
>> I got this working in RT 3.8.8 with modifying /Elements/SrubHTML to
>> authorize IMG elements and src attribute. After that you can see
>> inline images in ticket history.
>> In RT4, SrubHTML have been moved to /RT/Interface/Web.pm
>
>
> In RT4, I did this:
>
> --- Web.pm.old  2012-07-19 13:31:31.220050969 -0700
> +++ Web.pm      2012-07-19 13:32:10.034169941 -0700
> @@ -2867,7 +2867,7 @@
>      );
>      $scrubber->deny(qw[*]);
>      $scrubber->allow(
> -        qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE]
> +        qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE IMG SRC]
>      );
>      $scrubber->comment(0);
>
> But if I include a link to an image in a ticket, all I get is the URL
> displayed as text:
>
> http://www.site.com/image.jpg
>
> Does the message need to be formatted as HTML to begin with?

Note that such change introduces security vulnerability that is easily
exploitable. People can insert URLs into img's src attribute that
point to RT itself and do some actions on behalf of the user who is
looking at the ticket.

> --
> Florin Andrei
> http://florin.myip.org/



-- 
Best regards, Ruslan.



More information about the rt-users mailing list