Redactor is removing DIV with a class

Wasca · Oct 14, 2019

I'm using OsTicket v1.12.3
php v7.2.23
mysql 5.7.27

Okay, this is one is really bugging me. I'm trying to add the following to an FAQ and as soon as I swap out of the code editor it is stripping out my div.

<div class="Mso-embed-container"> 
<iframe src="https://player.vimeo.com/video/172825105" frameborder="0" allowfullscreen=""> </iframe> 
</div>

Then converts to

<iframe src="https://player.vimeo.com/video/172825105" frameborder="0" allowfullscreen=""> </iframe>

Where on earth in the code is it removing my div and custom css class?

ntozier · Oct 14, 2019

Redactor passes information off to htmlawed.
So I imagine that you would want to edit the htmlawed config.
include/htmLawed.php

Wasca · Oct 14, 2019

@ntozier thanks mate, I'll check it out.

Wasca · Oct 14, 2019

@ntozier the html is being removed as soon at I click the HTML button. Refer attached image. It's seems to be javascript code that is stripping it.

KevinTheJedi · Oct 15, 2019

@Wasca

There is only a very small amount of tags/styling allowed in the Redactor (I would assume they made it that way for security reasons but who knows). If you want to change this behavior you can customize the code. Redactor used to have options like allowedTags and allowedAttr so that you could allow whatever you want but it doesn't appear they have that anymore when they went Closed Source. You will have to scan through their documentation to see if there is a solution:

https://imperavi.com/redactor/docs/

Once you get past that hurdle, you will need to allow the same tags/attributes/styling in the osTicket sanitization method as well:

https://github.com/osTicket/osTicket/blob/develop/include/class.format.php#L288-L331

*Note:*
Be VERY careful of what you allow as you might open yourself up to XSS attacks or alike.

Cheers.

Wasca · Oct 17, 2019

Thanks KevinTheJedi

Does this code affect FAQ's? I thought it was for tickets.

https://github.com/osTicket/osTicket/blob/develop/include/class.format.php#L288-L331

For the life of me, I can't see any where in the code where it removes <div> or excludes the use of the "class" attribute.

Can anyone else see it?

KevinTheJedi · Oct 17, 2019

@Wasca

That code affects anything being sanitized by Format::sanitize() (which FAQ content is sanitized by this method). The redactor code is what you're looking for and unfortunately, we use the minified version. SO you will have to find the un-minified version on the web, put that in osTicket, change all the minified references to un-minified file, and edit that to do what you're looking for. After that, you can allow the same stuff in the safe_html method otherwise when you save the FAQ it'll do the same thing.

Cheers.