HTML signiture

andrewc

Any chance of the system accepting a users HTML signature?

Would really like this feature..

djtremors

to accept html would mean you would also be accepting javascript malicious code as well.. so upon opening the ticket, you could just as well have clicked change password and message the cross-site scripter your login details. also, embedded picture links etc would also be clickable...

I'm pretty sure thats why they striped html out... just a hunch.

andrewc

What I would like it to do is to filter all incoming emails but then allow me a HTML signiture and then send all emails out as HTML.

Its just very professional to have a nice signiture with a logo of your company in it.

timwright

Did anyone have a look at this?

I think the guys right, we would love to have the option to send pre written templates and also have our signatures sent with a bit of html.

I dont care about incoming, it's good for security but outbound it looks a bit more professional to have a company logo etc.

Kelli

There will be support for *some* HTML in the next version. Outbound messages have to be just as secure as inbound ones.

PRedmond

Can't we just strip all tags?? Are there any other 'dangerous' html tags??

PRedmond

Perhaps it is more complex than it seems, but it doesn't look too hard...

Open include/class.format.php and around line 78, find this code:

function striptags($string) {

return strip_tags(html_entity_decode($string)); //strip all tags ...no mercy!

}

The strip_tags() function is what removes the html tags. According to php.net, you can include a second parameter comprised of ALLOWABLE tags. So, if you wanted to include , and tags, you would change the above lines to:

function striptags($string) {

return strip_tags(html_entity_decode($string), '<a><img>'); //strip all tags ...no mercy!

}

It is entirely possible to add an option into the admin screen, where you can specify allowable tags. This would then allow an admin without php knowledge/access to update the allowable tags from the admin panel - much easier than opening code files!

I assume this is how it will be done in the next version...? Happy to help out with that if necessary.

xrat

Open include/class.format.php and around line 78, find this code:
function striptags($string) {
return strip_tags(html_entity_decode($string)); //strip all tags ...no mercy!
}

I recommend not to change the striptags() function because it is use all over osTicket.

I also doubt that this resolves the original problem. I am rather new to osTicket but if I'm not mistaken osTicket is sending plain text only (and I think this is a good choice). To send proper HTML one would have to change a lot.

PRedmond

True, this function is used a lot. Of course, it is used for the same thing - to remove HTML tags. By making the changes I suggested above, a user could include HTML tags in any field - perhaps not the desired outcome.

To prevent that from happening, you could copy and paste the striptags() function, and rename the copy stripMostTags(). Make the suggested changes to the new function.

Next, you need to change the code to use the new function. There are several files you may chose to do this:

- include/class.staff.php

- include/class.ticket.php

- include/class.msgtpl.php

- scp/kb.php

- scp/profile.php

I haven't really looked into whether osTicket is 'sending plain text only'... perhaps that is the case. Not really sure where this would occur... Perhaps when email is sent, it is sent as plain text, but I wouldn't have thought that would have precluded html tags? Even if that is the case, the html tags should be stored in the database, shouldn't they??

Kelli

It's a matter of more than just allowing certain HTML tags. Keep in mind that when you allow HTML, you also need to check for improperly formatted HTML, check for open tags, etc. and then fix or remove all of those occurances. If you don't, you're going to potentially seriously screw up the view ticket pages when you go to display all of that "safe" formatting code you're now allowing and if you're allowing attributes to be passed along in those tags, one could do all sorts of fun things with your CSS.

PRedmond

Hmm, that is true. So we would need a more complex function to accept HTML tags from ALL users. However, assuming that your staff are OK with HTML, and not interested in breaking things, it would be OK to use the above stripMostTags() functions in scp/profile.php to allow staff signatures to include HTML?

Alternatively, you make use of fancy bracketted tags (such as the tags used in this forum) to give users options. You would make stripTags() strip all HTML tags, and then use something like this to convert the 'special tags' into real HTML tags:

// convert into 

$html = preg_replace("", "", $html);

$html = preg_replace("", "", $html);

I guess you still have the issue of checking for properly closed tags... Would wrapping it all in < pre>< /pre> address this?

Is it possible to do something like:

$html = preg_replace("<s>**</s>...<e>**</e>", "...", $html);

???

Kelli

Hmm, that is true. So we would need a more complex function to accept HTML tags from ALL users. However, assuming that your staff are OK with HTML, and not interested in breaking things, it would be OK to use the above stripMostTags() functions in scp/profile.php to allow staff signatures to include HTML?

Yeah, sure. If you feel comfortable with it, go for it. I'm not saying it's a bad idea. Heck, it's something we're going to support soon. I'm just saying that if you're going to allow everyone to do it, there are more things to consider than just using strip_tags(), because even if you strip out scripts and solve the security issues, ill-formatted markup and in-line CSS can still muck up the way things display.

Alternatively, you make use of fancy bracketted tags (such as the tags used in this forum) to give users options.

Yep, but the only real advantage I see to this is that there are a lot of BBCode parsing functions out there already to draw from so it might be a little easier to implement securely if your regex-fu isn't all-powerful (also, the format feels a bit 'friendlier' to some users). In my personal opinion, I don't think one is necessarily better than the other.

I guess you still have the issue of checking for properly closed tags... Would wrapping it all in < pre>< /pre> address this?

Not really... besides, then you're screwing up line wrapping, too.

Is it possible to do something like:
$html = preg_replace("<s>**</s>...<e>**</e>", "...", $html);
???

Sure, but you can do the same with HTML. It's just regex matching, either way you look at it. This would be a better alternative than strip_tags() (or possibly used in conjunction with it), since it would only match on complete tag pairs. Mind you, you also have to consider nested tags and you'd want to strip out tag attributes.

The regex pattern/s for that is more than I can wrap my brain around, I'm afraid, but yeah, it could be done... Hey, I just design/build the UI. ;)

PRedmond

This is interesting: http://devzone.zend.com/article/761(http://devzone.zend.com/article/761)

Have you ever seen this in use? Is there a way to access it if PHP was NOT compiled with it??

PRedmond

Hey, check this out: http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed(http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed)

It does NOT need to be compiled with PHP, and it does a GREAT job fixing bad html. I have had a play, and I think it is worth considering!

peter

I know I'm late to the party - but I just want to add that the primary reasons osTicket strips HTML is to avoid XSS or/and bad HTML. We are planning on supporting sanitized HTML in the near future.

@[deleted] - I like htmLawed too!

Goosemoose

Perhaps it is more complex than it seems, but it doesn't look too hard...
Open include/class.format.php and around line 78, find this code:
function striptags($string) {
return strip_tags(html_entity_decode($string)); //strip all tags ...no mercy!
}
The strip_tags() function is what removes the html tags. According to php.net, you can include a second parameter comprised of ALLOWABLE tags. So, if you wanted to include , and tags, you would change the above lines to:
function striptags($string) {
return strip_tags(html_entity_decode($string), '<a><img>'); //strip all tags ...no mercy!
}
It is entirely possible to add an option into the admin screen, where you can specify allowable tags. This would then allow an admin without php knowledge/access to update the allowable tags from the admin panel - much easier than opening code files!
I assume this is how it will be done in the next version...? Happy to help out with that if necessary.

Unfortunately this doesn't work as the tags get converted into their entity name, i.e. <tr> instead of

luckman212

I have recently set up an osTicket 1.6ST installation and am using it with just a single customer at the moment. This customer has huge annoying HTML signatures that go out with every email and they refuse to use the web form to submit tickets, instead relying on emailing everything in.

So ALL of the tickets get created with this useless fluff at the end, as well as an "image001.png" attachment that I have to go in and manually remove with phpMyAdmin

The signatures always come in the same format (they use MS Outlook) -- but I am probably not up to the challenge of modding the php code myself. Has anyone run into a similar problem and have a solution?