HTML code in ticket opened via email not showing

[Wilson Mattos]

Hi all,

If a user submits sample HTML code when they open a ticket via email the code does not show up at all in the ticket. My workaround is to go look at the email to see that code, but this is painful as it is not always clear something is missing from the ticket.

Anyone know how to fix this?

I imagine this is a security feature to try and eliminate XSS attacks, but would it not be better to just covert < into &lt ; for example so the browser displays the code instead of interpreting it?

Thanks,

Wil

[masino_sinaga]

I know, this is STRONGLY NOT RECOMMENDED, but please try this modification. After you modify it, then you have to enclose your snipped code by using [ CODE ] and [ /CODE ] tag (without space):

Open your \include\class.format.php, and find this code:

PHP Code:

    //Format text for display..
    function display($text) {
        global $cfg;
 
        $text=Format::htmlchars($text); //take care of html special chars
        if($cfg && $cfg->clickableURLS() && $text)
            $text=Format::clickableurls($text);
 
        //Wrap long words...
        $text =preg_replace_callback('/\w{75,}/',create_function('$matches','return wordwrap($matches[0],70,"\n",true);'),$text);
 
        return nl2br($text);
    }
 
    function striptags($string) {
        return strip_tags(html_entity_decode($string)); //strip all tags ...no mercy!
    } 


then replace with this following code:

PHP Code:

    //Format text for display..
    function display($text) {
        global $cfg;
 
        //$text=Format::htmlchars($text); //take care of html special chars
        $text = str_replace('[code]', '<pre>', $text);
        $text = str_replace('[/code]', '</pre>', $text);
        if($cfg && $cfg->clickableURLS() && $text)
            $text=Format::clickableurls($text);
 
        //Wrap long words...
        $text =preg_replace_callback('/\w{75,}/',create_function('$matches','return wordwrap($matches[0],70,"\n",true);'),$text);
 
        return ($text);
    }
 
    function striptags($string) {
        //return strip_tags(html_entity_decode($string)); //strip all tags ...no mercy!
        return strip_tags($string); //strip all tags 
    }
 
    function convertCode($string) {
          $string = str_replace('<', '&lt;', $string);
          $string = str_replace('>', '&gt;', $string);
          return $string;
    } 


Open your \include\class.ticket.php file, and find this code:

PHP Code:

             ',message='.db_input(Format::striptags($msg)). //Tags/code stripped...meaning client can not send in code..etc 


then replace with this following code:

PHP Code:

             ',message='.db_input(Format::striptags(Format::convertCode($msg))). 


Sincerely,
Masino Sinaga

[Wilson Mattos]

Masino,

Thanks for the mod!!!

I will try what you suggested this weekend and will post back.

Wil

[RingoCarr]

Masino, is there any way to allow a custom tag such as <Firstname Surname:id#1394642873?1050530112> without the [ code] tags? I've been trying to do this sometime but can't find a way to do it.

Any help much appreciated


Edit: ^ I just want to be able to read it in the ticket a bit like how you can read it there with vBulletin ^

[xrat]

I was quite surprised when I realized that all HTML tags, email addresses in <> etc. were stripped, even from the data stored in the database.

What is the problem with "tags" in the message body? When a message is shown the htmlchars() in function display() in class.format.php takes care of tags, anyway!?

Besides, using PHP's strip_tags seems a bit crude, considering the warnings on its manual page.

@RingoCarr: You could give the following a try but of course without any warranty. And I mean it. You've been warned.

In include/class.ticket.php replace

PHP Code:

',message='.db_input(Format::striptags($msg)). //Tags/code stripped...meaning (...) 


with

PHP Code:

',message='.db_input($msg). // hacked by /me we need tags