We know that security is an important fact in a public helpdesk. If you like to use osTicket as support system for software, web hosting etc. it's important that you can use in tickets, knowledgebase and pages the <code> tag with none interpreted code. To display code correctly between the code tages it's standard to use html entities. The html entities are converted and interpreted by the osTicket sanitizing functions as running code. This will lead that e.g. <code>&lt;h1&gt;Heading 1&lt;/h1&gt;</code> will be displayed as a formatted h1.Please can you help us adjust this? Any hints are really welcome.Best regards,Jürgen

In order to be able to write code/xml in your messages you need to disable decoding.Go here: https://github.com/osTicket/osTicket/blob/develop/include/class.format.php#L295and change from true to false

@[deleted]01: Many thanks for the hint, but changing this line has no effect. This will only disable sanitizing while saving, but if you call the page in the frontend it's sanitized again. The problem is, that osTicket has many places where the code is cleaned, stripped or sanitized.We adjusted redactor, htmlawed and js for this and now we can add classes and attributes in richtext while you are logged in as stuff, clients are not allowed to edit html code. We integrated bootstrap in redactor, so you can see, how the content will look. In the backend everything is fine, we will see content in code tags as not rendered code. But in the frontend html entities &lt; or &gt; are converted again into < > and the code is rendered.At the moment we created a workaround by adding class "displayCode" to a code tag and executing the following javascript    $('.displayCode').each(function(i){      $(this).text($(this).html());    });to convert html to plain text in the frontend.We tested the recommended changing in a original version and it has no effects,because the code is sanitized by redactor, too.Any other ideas?

@[deleted] not sure what you are expecting to happen then, could you show a visual example?

1a.PNG

2a.PNG

The suggested fix from Micke1101 worked from me - yay - this resolves my ticket "Include XML snippet in ticket response - 114673" 

@[deleted]01 @[deleted] you are right, for submitting tickets via the frontend this will work. But we are looking for a solution for other pages. Any idea?

@[deleted] Glad it solved your problem :)@[deleted] ok i've now looked around and everything seems to work except one thing.Create tickets - WorksCreate tasks - WorksCreate pages - WorksCreate email template - WorksCreate kb category - WorksCreate kb page - WorksEditing an entry in a ticket - WorksEditing Content - Does not workThe problem is that the characters are interperated before redactor gets them.You could try something like this: https://github.com/osTicket/osTicket/blob/develop/include/class.format.php#L365Change toreturn htmlspecialchars( (string) preg_replace('/&(?=(lt|gt);)/', '&amp;', $var), $flags, 'UTF-8', false);

@[deleted]01 Many thanks for your help, but it doesn't solve our problem. We have completely reworked redactor. Some features are: integrated bootstrap css for a wysiwyg preview, allowed classes and styles, using bootstrap components, don't allow clients to edit code and many more. Everything is working fine and correctly displayed in backend as in frontend.Except this damn code tags. That means, if we are in the backend all special characters are stored and interpreted well:

If you switch to the frontend all htmlentities in the code section are converted to characters:We created a workaround by adding class "displayCode" all <> in the code section where overwritten in the frontend with html entities by javascript. But we would prefer to find the correct place, where the entities in the frontend are converted to characters and adjust this function.

Since the changes suggested does work in osTicket 1.10 Vanilla.It must be your modifications to redactor that is causing this behaviour.Do you have a fork with the changes?

@[deleted]01 Code in <code> tags is correct interpreted by redactor and <> are automatically changed to entities. While saving to database html entities are changed to characters... We will check the saving process.

@[deleted]01 Many thanks for your help, your tips in combination with some modifications in redactor are delivering the correct results.

Write a Reply...