HTML tags are getting stripped: Page 2

HTML tags are getting stripped

ramrajone

rsclmumbai
again not best security practice, but I think you can, I am not sure maybe DevTeam can confirm @KevinTheJedi

https://github.com/osTicket/osTicket/blob/develop/include/class.format.php#L338-L347
Line: 345
function sanitize($text, $striptags=false, $spec=false)

rsclmumbai

Already done that. My code looks like this:
` function sanitize($text, $striptags=false, $spec=false) {

    //balance and neutralize unsafe tags.
    //$text = Format::safe_html($text, array('spec' => $spec));
    //above line commented on 2020-02-05 to avoid stripping of <111111>
    $text = self::localizeInlineImages($text);

    //If requested - strip tags with decoding disabled.
    return $striptags?Format::striptags($text, false):$text;
}`

This is working fine but only for text/html emails.

If I get an email with content-type = text/plain, then the <xxx> is still stripping.

Read my response here:

https://github.com/osTicket/osTicket/issues/5368

Cheers.

rsclmumbai

Thanks @KevinTheJedi -- it worked.

File: include/class.thread.php

inside the class:
class TextThreadEntryBody extends ThreadEntryBody {
I commented the following code:

function getClean() {
        return Format::htmlchars(Format::html_balance(Format::stripEmptyLines(parent::getClean())));
    }

Hope it helps others looking for a similar solution.

Happy weekend!!

KevinTheJedi

@rsclmumbai

I hope no one else implements this as it’s a security risk. This does not open you to XSS attacks only, people can use XSS to start different, more serious attacks or possibly execute a different attack altogether. Just all around not a good idea. I understand your use case and such but really not a good idea from security standpoint.

At some point in the future we hope to implement code blocks or something similar to say “Don’t sanitize/balance content inside this block of code”. This will alleviate most of these types of issues. This is not set in stone, just on our feature request list.

Cheers.

rsclmumbai

Thanks @KevinTheJedi
I totally agree with you. I'm able to take this risk since we are using OSTicket strictly internally.
Nevertheless, I hope to see the Don't Sanitize..... feature in the future releases.
Thanks for the awesome helpdesk system & superb support!!

KevinTheJedi

rsclmumbai

This is slated for v2.0 when we have better sanitization, etc.

Cheers.

ChrisAnders

@KevinTheJedi was there ever any progress on this? I know it was a couple of years ago now...

asmith3006

Is there anything we can do now on this? We use our osTicket for a tech support help desk so often emails contain snippets of HTML or XML which all get stripped out.

Surely encoding < as < and > as > would resolve this problem? then it would be displayed rather than rendered?

I appreciate this is coming in v2, but (correct me if I'm wrong?) we don't know when that's coming.

KevinTheJedi

asmith3006

You can modify the codebase but you’ll likely open yourself up to XSS and similar attacks. Proceed at your own risk.

Cheers.

« Previous Page