HTML tags and syntax

mrck123

Hi,
Is there any way to ignore HTML tags and commands in tickets opened, due to html tags and commands taken by osticket?
Enable Rich Text: have been disabled

KevinTheJedi

mrck123

That’s what plain text does. It doesn’t render any HTML tags (ie. ignores them). If you mean completely remove them then no, that’s not possible.

Cheers.

mrck123

so if I am not able to remove them will I not be vulnerable to HTML injection?

KevinTheJedi

mrck123

…no? It’s plain text; it’s not rendering the HTML.

Cheers.

ntozier

The system doesn't execute the HTML it tries to sanitize and store it in the database.
When you click on a ticket it tries to display it to you.
Again your browser isn't processing it because its just text.

Can you still fall victim to a bad payload? sure.
But you would have to go to the bad (payload) site in the link.