Hi there,
My config:
osTicket Version v1.14.1 (f1e9e88) — Up to date
Web Server Software Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.7
MySQL Version 10.3.16
PHP Version 7.3.7
The Problem
This thread is regarding the following options:
Allow System iFrame: (a)
Embedded Domain Whitelist: (b)
My understanding is following:
- The first option (a) will define the domains (other than 'self') from where a posted iframe can be accessed. So if for instance a youtube video is embedded in the FAQ, it wont be accessible from a foreign domain unless it is in this list.
- The second option (b) will define the pool of domains the source of a iframe has to be part of in order to be posted. Per default it's set on youtube.com, dailymotion.com, vimeo.com, player.vimeo.com, web.microsoftstream.com.
I added my own domain to (b), but the iframe tag still gets stripped as mentioned in numerous posts from older versions of osTicket. There is no way to put an IP range here to eliminate DC/DNS related problems, which makes it more difficult to pinpoint the origin of the problem.
I took a look at the code, and managed to solve the problem for my local domain:
The function function safe_html($html, $options=array()){}, in class.format.php comes with an if condition (added with the options (a) and (b).
The if condition goes as follows:
if (!empty($whitelist)) {
$config['elements'] = '*+iframe';
$config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^(https?:)?//(www\.)?('
.implode('|', $whitelist).')/?`i"),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
}
The problem is that the domains written in the Embedded Domain Whitelist will be manipulated in a way that is only appropriate for https:// platforms
If one was to write myCompanyDomain.myCountryDomain, the condition will not add http://myCompanydomain.myCountrydomain, as you can see hereabove if you are wicked enough to read regular expressions like you'd read a novel.
Of course, if you are working on your own domain, you are maybe not using SSL cetificate, or you didn't even deploy a DNS server.
Changing https to http in the regular expression does the trick BUT will let you contact the already given list without SSL certificate. So, if you want to work properly, you should use a bigger regular expression that regroups all cases. Sooooo...
- To be able to add an IP src like A.B.C.D/..., you should add:
(http?:)?//A\.B\.C\.D/?`i
- To be able to use your domain name myCompanyDomain.myCountryDomain/..., you should add:
(http?:)?//myCompanyDomain.myCountryDomain/?`i
So the function becomes (if you added both):
if (!empty($whitelist)) {
$config['elements'] = '*+iframe';
$config['spec'] = 'iframe=-*,height,width,type,style,src(match="`^((https?:)?//(www\.)?('
.implode('|', $whitelist).')/?`i"|(http?:)?//A\.B\.C\.D/?`i"|(http?:)?//myCompanyDomain.myCountryDomain/?`i),frameborder'.($options['spec'] ? '; '.$options['spec'] : '').',allowfullscreen';
}
NB
Use relative paths! If you deployed osTicket root in myCompanyDomain.myCountryDomain, and there you have a folder /media with all your videos, add only (http?:)?//myCompanyDomain.myCountryDomain/?`i, and use src="../media/aVideo.mp4" as source.
To the Devs: if you could implement this in the whitelist field it would be cool. Or put another field for IP's or local domains reachable without SSL. I suppose the type cs-domain is used in other places so you cannot change the casting conditions. Maybe creating a new type and a new field would be the easiest.
Cheers,
Chris
