Kayako logo
SupportSuite, eSupport and LiveResponse Discussion, troubleshooting and feedback related to Kayako's flagship support desk products SupportSuite, eSupport and LiveResponse.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  (#1) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
Thumbs down Security Threat in 3.30 STABLE - HTML in ticket preview - 14-08-2008, 03:53 PM

Well, I thought this was fixed!!!! HTML is still showing in the ticket preview!
Attached Images
File Type: png HTML-TicketPreview.png (50.4 KB, 41 views)


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#2) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 853
Join Date: May 2005
Location: Boise, Idaho
14-08-2008, 05:47 PM

The HTML rendered in the ticket preview is subject to the "Settings >> Tickets >> HTML Conversion (Rendering and Staff Alerts)" setting. Keep in mind that there is also a setting that allows certain HTML tags to pass, even if it is set to "Strip Tags." That setting is "Settings >> Mail Parser >> Valid HTML Tags"


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#3) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
14-08-2008, 05:54 PM

I thought the intent here, like tickets, was to remove HTML. Attached please find my Settings...Tickets HTML conversion settings (both set to strip tags). Below find my HTML conversion from Settings...Mail Parser.

Valid HTML tags are:

Code:
<a><b><i><u><font><hr><strong>
So why are IMG tags being allowed, i.e. why do I see images in there?
Attached Images
File Type: png HTMLConversion.png (30.3 KB, 13 views)


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#4) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 853
Join Date: May 2005
Location: Boise, Idaho
14-08-2008, 06:14 PM

Not sure Neal. The contents of that preview are sent through the stripHTMLTags() function, which is supposed to remove all HTML tags except for ones explicitly allowed.

If you can send me the HTML contents of that message, I will try to reproduce here.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#5) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
14-08-2008, 06:20 PM

Ryan,

Worse - why is my TICKET showing HTML now? Is that something new?
Attached Images
File Type: png TicketHTML.png (39.4 KB, 23 views)


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#6) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
14-08-2008, 06:23 PM

Here is the tbody section of the ticket in viewing the source
Attached Files
File Type: txt HTMLTicket.txt (32.9 KB, 5 views)


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#7) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 853
Join Date: May 2005
Location: Boise, Idaho
14-08-2008, 06:30 PM

I'm looking at it. It looks like the regular expressions to remove the tags might be missing some of them.

I'll keep you posted.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#8) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
14-08-2008, 06:36 PM

But why am I showing an HTML e-mail in the ticket now? Wasn't like that before! Are we supposed to be viewing HTML in ticket views now?


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#9) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 853
Join Date: May 2005
Location: Boise, Idaho
14-08-2008, 08:21 PM

Neal, there is a bug in the "allow html tags" setting: if <i> is allowed, it erroneously matches <img>. Please remove <i> from the list and you should not see images any more.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#10) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
14-08-2008, 08:28 PM

Ryan,

Please answer this question! Why is my ticket view now showing HTML? It has NEVER done this before!


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#11) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 853
Join Date: May 2005
Location: Boise, Idaho
14-08-2008, 08:33 PM

I just did answer it:

1. The "allow html tags" setting was non functional before this build - that is why you never saw bold, italics, etc.
2. The <i> allowed tag erroneously matches <img> and <input>.

We are working on a fix now.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#12) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
14-08-2008, 08:39 PM

Okay, I thought we were talking about the ticket "preview" vs. the actual ticket view itself. Two separate issues. I will remove <i> from the list but that doesn't explain to me why I'm viewing an HTML e-mail in the actual ticket, NOT the ticket preview.


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#13) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 853
Join Date: May 2005
Location: Boise, Idaho
14-08-2008, 08:43 PM

You're not actually viewing a complete HTML e-mail, you're viewing the *allowed* HTML such as bold, italics, etc. The rest is stripped out.

The reason you're confused is that the "allowed tags" setting had no effect in previous versions, so the bold, etc were always stripped.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
  (#14) Old
NC Software Offline
Member
 
NC Software's Avatar
 
Posts: 523
Join Date: Dec 2005
Location: Sitting
14-08-2008, 09:12 PM

FYI - I'm also getting HTML e-mail notifications, good or bad (alerts). Nothing wrong with it, just letting you know that seems to be new too.


Neal Culiner
NC Software, Inc.
Visual Basic .NET Forums
3.30.02 STABLE
   
Reply With Quote
  (#15) Old
Ryan Lederman Offline
Chief Operating Officer
 
Ryan Lederman's Avatar
 
Posts: 853
Join Date: May 2005
Location: Boise, Idaho
14-08-2008, 09:28 PM

Try turning off the allowed tags. You shouldn't get ANY HTML under those circumstances.


Ryan Lederman (ryan.lederman ]at[ kayako.com)
----------------------------------------------------------------
---
   
Reply With Quote
Reply

Tags
330, html, preview, stable, threat, ticket

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
3.30.02 STABLE Released Ryan Lederman News and Announcements 0 13-08-2008 10:47 PM
Ticket hover preview STILL showing HTML NC Software SupportSuite, eSupport and LiveResponse 9 15-05-2008 03:08 PM
Hover ticket preview a potential security threat NC Software SupportSuite, eSupport and LiveResponse 26 17-04-2008 11:25 PM
New Build: 3.10.02 STABLE Ryan Lederman News and Announcements 0 05-03-2007 09:53 PM
eSupport v2.2 Stable Released Varun Shoor News and Announcements 3 24-06-2004 12:39 AM



Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.2.0
vBulletin Skin developed by: vBStyles.com


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46