Html only message do not display in RT

Using RT 3.0.6, Apache 1.3.28.

If a single part html message arrives, RT does not display the body of
that message in the ticket. Even something as simple as the following
will not display:Date: Tue, 9 Dec 2003 10:00:00 -0700
From: “Michael Richards” michael@emdee.net
Subject: Blank Body Test
Content-Type: text/html

this is a test… this is only a test…
.

Using RT 3.0.6, Apache 1.3.28.

If a single part html message arrives, RT does not display the body of
that message in the ticket. Even something as simple as the following
will not display:

Displaying html content inline opens us up to cross-site scripting
attacks. A malicious end-user could send in mail which contained
javascript which resolved all your tickets and then sent out spam to
each and every one of them using RT. If you click on the link to the
right, you can download the html message marked as plain text.

RT 3.0.7 has a better message when this happens.

-j

Request Tracker — Best Practical Solutions – Trouble Ticketing. Free.

Jesse Vincent wrote:

Using RT 3.0.6, Apache 1.3.28.

If a single part html message arrives, RT does not display the body of
that message in the ticket. Even something as simple as the following
will not display:

Displaying html content inline opens us up to cross-site scripting
attacks. A malicious end-user could send in mail which contained
javascript which resolved all your tickets and then sent out spam to
each and every one of them using RT. If you click on the link to the
right, you can download the html message marked as plain text.

RT 3.0.7 has a better message when this happens.
Hello, Jesse and Michael
I’ve posted simple patch that use HTML::Scrubber to convert HTML to
plain text. It’s useable and could be changed to produce HTML scrubbered
from JS or other active objects.

I can do this patch more nice if you will agree merge it in other case
it’s enought for our users.

Patch attached.
Best regards. Ruslan.

rt3.html_display.patch (2.46 KB)

I’ve posted simple patch that use HTML::Scrubber to convert HTML to
plain text. It’s useable and could be changed to produce HTML scrubbered
from JS or other active objects.

I can do this patch more nice if you will agree merge it in other case
it’s enought for our users.

I’ll take a patch that produces a “simple” plain text version of html
mail for RT 3.1. Producing scrubbed html still has the possibility of a
malicious end user writing html which mimicks the rest of RT’s user
interface to its own evil ends.

Request Tracker — Best Practical Solutions – Trouble Ticketing. Free.

“JV” == Jesse Vincent jesse@bestpractical.com writes:

JV> I’ll take a patch that produces a “simple” plain text version of html
JV> mail for RT 3.1. Producing scrubbed html still has the possibility of a
JV> malicious end user writing html which mimicks the rest of RT’s user
JV> interface to its own evil ends.

I have two versions. One written using HTML::Parser and
HTML::PrettyPrint, and the other using IPC::Run with w3m as an
external program. The former does not handle tables, which I really
needed for my application, thus the second version was written.
Neither will preserve links, which I think is OK for the email
notice. (Well, technically, I have another script to stick in front of
calling w3m that makes footnoted links in the text version, but that
is written in ruby, and may be fragile).

I’ll be glad to donate either/both to RT.

Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/

I went with stiphtml since it won’t remove attachments like stripmime
does.
It also sits between sendmail and RT so you don’t need to mod RT. To
use it
change your sendmail alias to something like
“|striphtmlemail.pl|/opt/rt3/bin/rt-mailgate --queue general --action
correspond --url
http://localhost/” and its set to go.
Our companies programmer made a few changes to remove a few extra
characters
But it still isn’t perfect it can’t remove blank lines so messages
have large amounts of blank space before the actual text.

Jarrod Flanders
A+, Network+
Computer Technician
Burrelles Information Services, LLCFrom: jesse [mailto:jesse@bestpractical.com]
Sent: Tuesday, December 09, 2003 1:08 PM
To: cubic
Cc: michael; rt-users
Subject: Re: [rt-users] html only message do not display in RT

I’ve posted simple patch that use HTML::Scrubber to convert HTML to
plain text. It’s useable and could be changed to produce HTML
scrubbered
from JS or other active objects.

I can do this patch more nice if you will agree merge it in other
case
it’s enought for our users.

I’ll take a patch that produces a “simple” plain text version of html
mail for RT 3.1. Producing scrubbed html still has the possibility of
a
malicious end user writing html which mimicks the rest of RT’s user
interface to its own evil ends.

Request Tracker — Best Practical Solutions – Trouble Ticketing. Free.
rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at
http://fsck.com/rtfm