[rt-users] Inline screenshots
Rémi
mirebob at gmail.com
Fri Jul 20 08:43:21 EDT 2012
2012/7/19 Ruslan Zakirov <ruz at bestpractical.com>:
> On Thu, Jul 19, 2012 at 11:44 PM, Florin Andrei <florin at andrei.myip.org> wrote:
>> On 07/19/2012 03:59 AM, Rémi wrote:
>>>
>>>
>>> I got this working in RT 3.8.8 with modifying /Elements/SrubHTML to
>>> authorize IMG elements and src attribute. After that you can see
>>> inline images in ticket history.
>>> In RT4, SrubHTML have been moved to /RT/Interface/Web.pm
>>
>>
>> In RT4, I did this:
>>
>> --- Web.pm.old 2012-07-19 13:31:31.220050969 -0700
>> +++ Web.pm 2012-07-19 13:32:10.034169941 -0700
>> @@ -2867,7 +2867,7 @@
>> );
>> $scrubber->deny(qw[*]);
>> $scrubber->allow(
>> - qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
>> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE]
>> + qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1
>> H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE IMG SRC]
>> );
>> $scrubber->comment(0);
>>
>> But if I include a link to an image in a ticket, all I get is the URL
>> displayed as text:
>>
>> http://www.site.com/image.jpg
>>
>> Does the message need to be formatted as HTML to begin with?
>
> Note that such change introduces security vulnerability that is easily
> exploitable. People can insert URLs into img's src attribute that
> point to RT itself and do some actions on behalf of the user who is
> looking at the ticket.
>
In my case I tweek a little more the scrubber to avoid (reduce)
security issues,
the only thing I wanted is the ability to paste en image in the
CKeditor (<img src="data:image/png;base64..... />)
this do the trick after the $scriubber->allow() call.
$scrubber->rules(
img => {
src => qr{^data\:image}i,
alt => 1,
'*' => 0,
},
);
Rémi
>> --
>> Florin Andrei
>> http://florin.myip.org/
>
>
>
> --
> Best regards, Ruslan.
More information about the rt-users
mailing list