Is there a way to use formatted user signature at Request Tracker? I already set Templates to use text/html messages. Tried to add HTML tags to signature, but < is translated as <...
Asked
Active
Viewed 941 times
1 Answers
2
It's not possible with the current code in RT 4.2. You can see it in lines 69-76 of https://github.com/bestpractical/rt/blob/stable/share/html/Elements/MessageBox
For security reasons, the authors escape dangerous characters as HTML entities.
You can modify this behaviour by copying this file to local/html/Elements/ and commenting out those lines, but THIS IS A BIG SECURITY RISK. You are allowing your users to include code in your RT web site. Basically, you are creating a persistent XSS vulnerability [1] exploitable by any of your users (if the output is not escaped later).
[1] https://en.wikipedia.org/wiki/Cross-site_scripting#Persistent
morallo
- 146
- 3