Security Threat in 3.30 STABLE - HTML in ticket preview

NC Software · Neal Culiner NC Software, Inc. Visual Basic .NET Forums 3.30.02 STABLE

Well, I thought this was fixed!!!! HTML is still showing in the ticket preview!

Ryan Lederman · 14-08-2008, 05:47 PM

The HTML rendered in the ticket preview is subject to the "Settings >> Tickets >> HTML Conversion (Rendering and Staff Alerts)" setting. Keep in mind that there is also a setting that allows certain HTML tags to pass, even if it is set to "Strip Tags." That setting is "Settings >> Mail Parser >> Valid HTML Tags"

NC Software · 14-08-2008, 05:54 PM

I thought the intent here, like tickets, was to remove HTML. Attached please find my Settings...Tickets HTML conversion settings (both set to strip tags). Below find my HTML conversion from Settings...Mail Parser.

Valid HTML tags are:

Code:

<a><b><i><u><font><hr><strong>

So why are IMG tags being allowed, i.e. why do I see images in there?

Ryan Lederman · 14-08-2008, 06:14 PM

Not sure Neal. The contents of that preview are sent through the stripHTMLTags() function, which is supposed to remove all HTML tags except for ones explicitly allowed.

If you can send me the HTML contents of that message, I will try to reproduce here.

NC Software · 14-08-2008, 06:20 PM

Ryan,

Worse - why is my TICKET showing HTML now? Is that something new?

NC Software · 14-08-2008, 06:23 PM

Here is the tbody section of the ticket in viewing the source

Ryan Lederman · 14-08-2008, 06:30 PM

I'm looking at it. It looks like the regular expressions to remove the tags might be missing some of them.

I'll keep you posted.

NC Software · 14-08-2008, 06:36 PM

But why am I showing an HTML e-mail in the ticket now? Wasn't like that before! Are we supposed to be viewing HTML in ticket views now?

Ryan Lederman · 14-08-2008, 08:21 PM

Neal, there is a bug in the "allow html tags" setting: if <i> is allowed, it erroneously matches <img>. Please remove <i> from the list and you should not see images any more.

NC Software · 14-08-2008, 08:28 PM

Ryan,

Please answer this question! Why is my ticket view now showing HTML? It has NEVER done this before!

Ryan Lederman · 14-08-2008, 08:33 PM

I just did answer it:

1. The "allow html tags" setting was non functional before this build - that is why you never saw bold, italics, etc.
2. The <i> allowed tag erroneously matches <img> and <input>.

We are working on a fix now.

NC Software · 14-08-2008, 08:39 PM

Okay, I thought we were talking about the ticket "preview" vs. the actual ticket view itself. Two separate issues. I will remove <i> from the list but that doesn't explain to me why I'm viewing an HTML e-mail in the actual ticket, NOT the ticket preview.

Ryan Lederman · 14-08-2008, 08:43 PM

You're not actually viewing a complete HTML e-mail, you're viewing the *allowed* HTML such as bold, italics, etc. The rest is stripped out.

The reason you're confused is that the "allowed tags" setting had no effect in previous versions, so the bold, etc were always stripped.

NC Software · 14-08-2008, 09:12 PM

FYI - I'm also getting HTML e-mail notifications, good or bad (alerts). Nothing wrong with it, just letting you know that seems to be new too.

Ryan Lederman · 14-08-2008, 09:28 PM

Try turning off the allowed tags. You shouldn't get ANY HTML under those circumstances.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
3.30.02 STABLE Released	Ryan Lederman	News and Announcements	0	13-08-2008 10:47 PM
Ticket hover preview STILL showing HTML	NC Software	SupportSuite, eSupport and LiveResponse	9	15-05-2008 03:08 PM
Hover ticket preview a potential security threat	NC Software	SupportSuite, eSupport and LiveResponse	26	17-04-2008 11:25 PM
New Build: 3.10.02 STABLE	Ryan Lederman	News and Announcements	0	05-03-2007 09:53 PM
eSupport v2.2 Stable Released	Varun Shoor	News and Announcements	3	24-06-2004 12:39 AM

NC Software Offline Member Posts: 523 Join Date: Dec 2005 Location: Sitting	14-08-2008, 06:36 PM But why am I showing an HTML e-mail in the ticket now? Wasn't like that before! Are we supposed to be viewing HTML in ticket views now? Neal Culiner NC Software, Inc. Visual Basic .NET Forums 3.30.02 STABLE

NC Software Offline Member Posts: 523 Join Date: Dec 2005 Location: Sitting	14-08-2008, 08:28 PM Ryan, Please answer this question! Why is my ticket view now showing HTML? It has NEVER done this before! Neal Culiner NC Software, Inc. Visual Basic .NET Forums 3.30.02 STABLE

NC Software Offline Member Posts: 523 Join Date: Dec 2005 Location: Sitting	14-08-2008, 08:39 PM Okay, I thought we were talking about the ticket "preview" vs. the actual ticket view itself. Two separate issues. I will remove <i> from the list but that doesn't explain to me why I'm viewing an HTML e-mail in the actual ticket, NOT the ticket preview. Neal Culiner NC Software, Inc. Visual Basic .NET Forums 3.30.02 STABLE

NC Software Offline Member Posts: 523 Join Date: Dec 2005 Location: Sitting	14-08-2008, 09:12 PM FYI - I'm also getting HTML e-mail notifications, good or bad (alerts). Nothing wrong with it, just letting you know that seems to be new too. Neal Culiner NC Software, Inc. Visual Basic .NET Forums 3.30.02 STABLE