ImproveRichTextHandling

From Request Tracker Wiki
Revision as of 16:11, 6 April 2016 by Admin (talk | contribs) (7 revisions imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

I have several issues with the rich text handling of RT 3.8.8. A rich text email looks a lot different in the Display page from the Update page. For example, color text is only shown when updating a ticket. Part of the reason is because the HTML scrubber for the Display view uses different scrubbing rules from when the content of a transaction is quoted for Update view. Unclosed tags can mess up an entire ticket in the Display view, but then these tags are closed when they are quoted and sent to Update. This article is dedicated to improving rich text handling in RT.

(Please note - allowing tables through in HTML emails allows you to do malicious things to RT's ticket history display. Similarly, unilaterally allowing styles opens you up to attacks.)

ScrubHTML:

$ diff /usr/share/request-tracker3.8/html/Elements/ScrubHTML html/Elements/ScrubHTML
63a64,66
>         color  => 1,
>         type   => 1,
>         align  => 1,
68c71
<     qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1 H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE]
---
>     qw[A B U P BR I HR BR SMALL EM FONT SPAN STRONG SUB SUP STRIKE H1 H2 H3 H4 H5 H6 DIV UL OL LI DL DT DD PRE BLOCKQUOTE TABLE TBODY TR TH TD]


(more to come later)