Ticket updates adding superfluous comments

Recently multiple users have had the complaint that using the ticket updates (Update.html and ModifyAll.html) results in comments or correspondence being added to the ticket history (containing just their signature), even though they didn’t type anything in the message box. I traced the behavior to RT::Interface::Web::StripContent. This method escapes the HTML in the user’s signature, then compares it with the messagebox content. But the messagebox content itself is not escaped, and I don’t know how it would have been in the past either.

I’m rather puzzled because the users say this used to be working just a few days ago and I really can’t see anything that might have changed locally.

Has anyone else been having this problem?

As far as I can tell, StripContent never would have worked when the messagebox content and the user’s signature (from their settings) are both html-formatted. I still don’t know why this wasn’t a problem for my users until now. With this addition to StripContent, it now works correctly.

@@ -1291,6 +40,19 @@
     # Check for plaintext sig
     return '' if not $html and $content =~ /^(--)?\Q$sig\E$/;
+    # html-formatted sig. Entities are already escaped (other than the actual
+    # html tags), need to strip html whitespace, and "--" is its own
+    # paragraph.
+    if ( $html ) {
+        # remove html version of spaces and newlines
+        $sig =~ s! !!g;
+        $sig =~ s!<br/?>!!g;
+    }
+    return '' if $html and $content =~ m{^(?:<p>)?(--)?(?:</p>)?\Q$sig\E$}s;
+    # As far as I can tell, this below only catches the combination of
+    # html-formatted $content, and plaintext $sig.
     # Check for html-formatted sig; we don't use EscapeHTML here
     # because we want to precisely match the escapting that FCKEditor
     # uses.

Diving into the issue of html signatures, I see they were only implemented in 5.0.3 (Allow HTML signatures · bestpractical/rt@f80550c · GitHub) but we’ve been running that since last August, so I’m still baffled.

Perhaps the users have only recently added HTML signatures in their profiles?