-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
< symbol Truncate the remaining text #3791
Comments
< and > are reserved HTML tag characters. Using them triggers the WYSIWYG editor and HTMLawed into thinking that it is an HTML tag. Invalid ones, and some specific ones are stripped. It sounds to me like you are running into the that. |
Hello @ntozier, Yes you're correct. Is there's a way to make those symbols work when posting an update on the ticket? Thank you, |
Not that I know of. You could try dropping to the code view in the editor and use < and >. |
Hello @ntozier, Thank you for your response, I appreciate it. Thank you, |
Hi Guys, Can you help me on this? Thank you, |
Hi @ntozier The problem is not with the editor, it correctly converts "less than" symbols to the html entity. Emails from clients are also affected, everything on a line following a "<" is stripped, when the character should just be escaped. The problem actually occurs in class.format.php when (by default) Format::safe_html decodes these entities back to "<" before running the input through HtmLawed. Entities are already sanitized right? Yet the comments in safe_html seem to consider My fix was to edit FORMAT::sanitize on line 340 and add 'decode'=>false to the options. Am I missing something? Have I opened myself up to XSS? Thanks |
Thanks for the fix. Works for me, it was causing real problems when we replied with formulas. |
+1 for a fix. This cannot possibly be expected/intended behavior. The only time a Edit: If I find some time I will test the fix provided by @bhspiers and see if I can get XSS through. |
This is an issue for me too, although it happens with more characters than just the |
Cheers. |
@JediKev Thanks a lot for the response! |
this is still not fixed in master, but it works! |
If you use the WYSIWYG editor, you expect the editor to treat the < as a literal < and not as a HTML opening tag. |
Still an issue in v12 and our CSR staff do not enjoy their carefully written messages being unexpectedly truncated. I feel like this should be a pretty high priority for core team to have fixed in release versions. Thank you @bhspiers for finding a patch. |
I will refer you to this comment above: We appreciate the feedback and this is something that’s on our list to address in future versions. Cheers. |
Thank you for the reply @JediKev - but if my editor is set in WYSIWYG mode (not HTML editing mode), shouldn't it be converting the "<" to Or am I overlooking an expectation that someone might be typing HTML tags into the WYSIWYG mode of the editor and expecting them to be rendered as HTML output? One edge case I can think of would be copying and pasting HTML-formatted text into the WYSIWYG editor, but this issue is about the core/normal functionality. |
@JediKev, While it does strip random single '<' characters, it seems full tags like are passed through just fine, which can really. In either case, even switching to the code view (which does encode the characters as displayed) and submitting they end up passed straight through as normal characters. It also apparently allows clients to reply and embed iframes into their ticket updates, is this intentional? |
We use HTMLawed with specific configs (and other methods) to sanitize the content to "make HTML safe". This removes most tags but some are allowed like To answer @knels question of Cheers. |
Just had an user that sent a paste from a compilation error: nearly useless since #includes have had their "target" removed. Text from WYSIWYG editor should stay WYSIWYG: if you enter HTML code, it's OK to escape it so it gets shown as source. If you switch to HTML mode, then you should be able to use some tags, and text should not be automatically escaped. Please just apply the "less surprise" principle. |
Same problem with subject of internal notes. |
I "fixed" the problem with less-than in internal note titles changing line 343 of class.format.php to: |
We run into the same problem and applied the same fix: to disable 'balance' in the This is really a show-stopper for us: we often use the "less-than" character in replies to customers. It also seems logical to me that anything entered in the WYSIWYG-editor should NOT be interpreted as HTML. |
That patch does have a nasty side effect: HTML replies usually get truncated with an open 'div' tag (sometimes a 'p' one, too) and that messes the layout of the web interface.
|
To give an example of the issue that @NdK73 is referencing, see this image: https://www.dropbox.com/s/qwvhm7qhtc6lizc/osTicket-problem.png?dl=0 |
That’s why we strip the tags...we have plans to eventually allow code in code blocks that will be escaped etc. so please stay tuned. Cheers. |
The problem is that we deal with Emails that are HTML. The tags there do not need escaping otherwise the email will not render properly in the Ticket view. With this in mind, how do you determine what to render and what to escape? The solution is more often than not to allow code but only in a code block or something similar so we know that the code in the block needs escaping, the rest needs to be rendered to look like the actual email that was sent. Cheers. |
Nope: you can't trust the users to use codeblocks: they'll just paste code / error messages! |
It's not that simple though...you have to think about the cases where you want to send HTML code to a User but not have it rendered as normal text. Since the code is HTML it will see it as email content and not escape it causing it to be rendered. You need a code-block to say "this text specifically is code that should be escaped". Anyways, you're not wrong though. It will most likely be a combination of multiple things such as code blocks and whitelisted/blacklisted tags (which Cheers. |
There are two different flows: when receiving I have to accept "everything" (even possibly malformed/malicious contents), when sending I must send well-formed and clean code. If I'm generating HTML code, then I first have to htmlencode() everything the operator enters in the textarea. As operator, I expect that if I paste a HTML snippet the receiver will see it uninterpreted ("you have to use <div> </div> to apply this css" -- btw I've had to manually escape this example to have it rendered correctly here on github!). |
|
For a partial solution (only addressing web inputs), you can have a look at https://www.froala.com/online-html-editor : it automatically encodes entered entities as soon as the user enters them. The downside is that operators and users are constrained to the "buttonized" tags... But is it really a downside? Another interesting editor can be http://wymeditor.github.io -- it follows the "What You See Is What You Mean" paradigm. Probably worth having a look. |
Hi all, to prevent the responses/notes from being truncated after "<" symbol, we have tried a workaround to replace automatically < and > with < >
|
I've not quite been able to find out the security risks of doing a fix like this, or the one mentioned by @bhspiers. Does anyone know? We often send code snippets containing html characters as part of our support tasks, and often we need to write "Whoops, sorry, our support system mangled the code, here it is as an attachment instead" – quite embarrassing. @JediKev Now that it's 2021, any updates on this? |
Allowing code within code-blocks is on our Feature Request list. This will most likely come to life in v2.0 (currently in development - no set/expected release date atm). Cheers. |
Is there yet progress on this rather old issue? We just steped into this bug which led to some big confusion on the client side why we sent his quote "some text from client" without any comment/reaction from our side. |
Hello All,
I have encountered a bug when posting a reply on a ticket when using a "<" symbol. When there is a "<" symbol on the ticket body, it will cut the remaining text. Here is a sample reply that i did.
My Response:
_Hi Kamran,
Alright. The threshold has been set to 10% so any printer that hits the toner level <10%, we should get notified. We'll handle this for you so you won't get bombarded by these notifications. So far, these are the ones we received.
adsii-dc2\T5 PrinterBlack: 8%
adsii-dc2\T5 ScannerBlack: 8%
Thank you!_
After Posting the update on the ticket:
_Hi Kamran,
Alright. The threshold has been set to 10% so any printer that hits the toner level
adsii-dc2\T5 PrinterBlack: 8%
adsii-dc2\T5 ScannerBlack: 8%
Thank you!_
Can you guys help me to modify the code to access that symbol? Any help will be much appreciated.
Server Information
osTicket Version ----------> v1.10 (901e5ea) — Up to date
Web Server Software -----> Microsoft-IIS/8.5
MySQL Version -----------> 5.7.17
PHP Version --------------> 7.0.15
Thank you,
Alfie
The text was updated successfully, but these errors were encountered: