<> brackets issue

MandMs

Hi all,

We have big difficulties with using <> brackets in our letters. Our clients receive such messages without a text we write.

We are a technological startup and need to send HTML code examples to our clients.

I saw similar OSTicket's tickets, are there is a recommendation to whitelist some tags in "HTMLLawed" lib, but... this is incorrect and a potential security breach does not solving the issue at all.

Nobody needs to whitelist any tag, because editor should not generate any tags when user writes some HTML code as text. It should convert <> to <> before sending to DB (and before sanitizing with HTMLLawed).

The only I need to whitelist should be <code> and <pre> tags if they are not whitelisted by default (why?), like tags <b>, <i>, etc..

Any special sequences are not security issues and should go without any striping out.
Maybe this is an issue of the default HTML editor? Is there any chance to switch to CKEditor/TinyMCE which can correctly encode/decode such texts with brackets?

KevinTheJedi

MandMs

You must modify the code to accomplish this. We have heavy sanitization and html balancing to avoid any possible vulnerabilities like code execution, etc.

You can look at include/class.format.php for more info.

Cheers.

MandMs

KevinTheJedi

Thanks for the answer, I will try.

But could you explain how < sequences could be a vulnerability? I just worry that OSTicket tries to sanitize it to supress some floating issue with incorrect encoding <> into <> or something like that.

KevinTheJedi

MandMs

Encoded characters are not the problem. The problem is non-encoded characters. We must render the actual HTML content when displaying the Ticket so we heavily sanitize the raw un-encoded content.

Cheers.

MandMs

KevinTheJedi
So this looks like a bug of OSTicket or its editor, or both. Because any <> charachters typed by user should be encoded by the editor and NOT being sanitized by server. Or this HTMLLaw lib sanitizes < and > sequences and this is its bug or misconfiguration.

Anyway I guess this issue should be fixed in next releases of OSTicket because unable to use all the symbols from the keyboard is a problem of OSTicket product solution, does not matter on which step in this chain is the bug.

KevinTheJedi

MandMs

As I said, we do aggressive sanitizing and balancing for HTML content. This behavior has been a part of osTicket as far as I can remember. You can modify the code to your liking if you don’t like the default behavior.

In v2.0 we should have better sanitization and balancing methods that should work better for HTML tag characters (< and >).

Cheers.