I found a UI bug on one particular ticket – basically the div.footer was appearing inside the div.body instead of after it. It looks like the reason for this is that some HTML in a mail had an extra closing div, so this caused the rest of the page structure to get mangled.
I haven’t dug super deep into this yet so take my analysis with a grain of salt, but I can see that no iframe is used to display HTML from a mail, and so I’m questioning how safe this is. I would expect there to be some safeguards to prevent untrusted user input from breaking the page. Does anyone know what strategies are employed to mitigate this as a security issue?
I have learned a few more things! iframes would not make sense here because the height needs to be dynamic. It seems that RT uses HTML::Scrubber to sanitize email HTML for display in the UI. When I load the ticket that contains the issue, I see a number of log messages from HTML::Scrubber in this form:
 [Fri Feb 3 13:22:40 2023] [warning]: Use of uninitialized value in pattern match (m//) at /usr/local/lib/perl5/site_perl/5.36.0/HTML/Scrubber.pm line 223. (/usr/local/lib/perl5/site_perl/5.36.0/HTML/Scrubber.pm:223)
This references this line in the uncompiled source code of Scrubber:
I’m still learning Perl, but I wonder if this smells like a bug to anyone else… They could be unrelated issues, but the coincidence is curious.