Kayako logo
SupportSuite, eSupport and LiveResponse Discussion, troubleshooting and feedback related to Kayako's flagship support desk products SupportSuite, eSupport and LiveResponse.

Kayako develops robust helpdesk software, live chat and real-time visitor monitoring software.
Kayako is trusted by more than 30,000 organizations, including a number of Fortune 500 companies and government institutions.
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  (#1) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
Thumbs down Security Threat in 3.30 STABLE - HTML in ticket preview - 14-08-2008, 02:53 PM

Well, I thought this was fixed!!!! HTML is still showing in the ticket preview!
Attached Images
File Type: png HTML-TicketPreview.png (50.4 KB, 42 views)
   
Reply With Quote
  (#2) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 905
Join Date: May 2005
Location: Boise, Idaho USA
14-08-2008, 04:47 PM

The HTML rendered in the ticket preview is subject to the "Settings >> Tickets >> HTML Conversion (Rendering and Staff Alerts)" setting. Keep in mind that there is also a setting that allows certain HTML tags to pass, even if it is set to "Strip Tags." That setting is "Settings >> Mail Parser >> Valid HTML Tags"


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#3) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
14-08-2008, 04:54 PM

I thought the intent here, like tickets, was to remove HTML. Attached please find my Settings...Tickets HTML conversion settings (both set to strip tags). Below find my HTML conversion from Settings...Mail Parser.

Valid HTML tags are:

Code:
<a><b><i><u><font><hr><strong>
So why are IMG tags being allowed, i.e. why do I see images in there?
Attached Images
File Type: png HTMLConversion.png (30.3 KB, 13 views)
   
Reply With Quote
  (#4) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 905
Join Date: May 2005
Location: Boise, Idaho USA
14-08-2008, 05:14 PM

Not sure Neal. The contents of that preview are sent through the stripHTMLTags() function, which is supposed to remove all HTML tags except for ones explicitly allowed.

If you can send me the HTML contents of that message, I will try to reproduce here.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#5) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
14-08-2008, 05:20 PM

Ryan,

Worse - why is my TICKET showing HTML now? Is that something new?
Attached Images
File Type: png TicketHTML.png (39.4 KB, 23 views)
   
Reply With Quote
  (#6) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
14-08-2008, 05:23 PM

Here is the tbody section of the ticket in viewing the source
Attached Files
File Type: txt HTMLTicket.txt (32.9 KB, 5 views)
   
Reply With Quote
  (#7) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 905
Join Date: May 2005
Location: Boise, Idaho USA
14-08-2008, 05:30 PM

I'm looking at it. It looks like the regular expressions to remove the tags might be missing some of them.

I'll keep you posted.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#8) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
14-08-2008, 05:36 PM

But why am I showing an HTML e-mail in the ticket now? Wasn't like that before! Are we supposed to be viewing HTML in ticket views now?
   
Reply With Quote
  (#9) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 905
Join Date: May 2005
Location: Boise, Idaho USA
14-08-2008, 07:21 PM

Neal, there is a bug in the "allow html tags" setting: if <i> is allowed, it erroneously matches <img>. Please remove <i> from the list and you should not see images any more.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#10) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
14-08-2008, 07:28 PM

Ryan,

Please answer this question! Why is my ticket view now showing HTML? It has NEVER done this before!
   
Reply With Quote
  (#11) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 905
Join Date: May 2005
Location: Boise, Idaho USA
14-08-2008, 07:33 PM

I just did answer it:

1. The "allow html tags" setting was non functional before this build - that is why you never saw bold, italics, etc.
2. The <i> allowed tag erroneously matches <img> and <input>.

We are working on a fix now.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#12) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
14-08-2008, 07:39 PM

Okay, I thought we were talking about the ticket "preview" vs. the actual ticket view itself. Two separate issues. I will remove <i> from the list but that doesn't explain to me why I'm viewing an HTML e-mail in the actual ticket, NOT the ticket preview.
   
Reply With Quote
  (#13) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 905
Join Date: May 2005
Location: Boise, Idaho USA
14-08-2008, 07:43 PM

You're not actually viewing a complete HTML e-mail, you're viewing the *allowed* HTML such as bold, italics, etc. The rest is stripped out.

The reason you're confused is that the "allowed tags" setting had no effect in previous versions, so the bold, etc were always stripped.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#14) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 568
Join Date: Dec 2005
Location: Sitting
14-08-2008, 08:12 PM

FYI - I'm also getting HTML e-mail notifications, good or bad (alerts). Nothing wrong with it, just letting you know that seems to be new too.
   
Reply With Quote
  (#15) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 905
Join Date: May 2005
Location: Boise, Idaho USA
14-08-2008, 08:28 PM

Try turning off the allowed tags. You shouldn't get ANY HTML under those circumstances.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
Reply

Tags
330, html, preview, stable, threat, ticket

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
3.30.02 STABLE Released Ryan Lederman News and Announcements 0 13-08-2008 09:47 PM
Ticket hover preview STILL showing HTML NC Software SupportSuite, eSupport and LiveResponse 9 15-05-2008 02:08 PM
Hover ticket preview a potential security threat NC Software SupportSuite, eSupport and LiveResponse 26 17-04-2008 10:25 PM
New Build: 3.10.02 STABLE Ryan Lederman News and Announcements 0 05-03-2007 08:53 PM



Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.3.2


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78