Thanks mg So it just leaves us with the code our agents may leave in an article. Can this be a security thread? Kind regards, Juan Clavero De: Martin Gruner [mailto:martin.gruner@otrs.com] Enviado el: lunes, 04 de junio de 2012 10:04 Para: User questions and discussions about OTRS. Asunto: Re: [otrs] javascript in articles: a security threat? Hi Juan, customer articles are displayed differently in OTRS, inline content is not shown by default. Regards, mg Am 31.05.12 16:50, schrieb Juan Manuel Clavero Almirón: Hi all, I just discovered an agent adding a note to a ticket. the only text in the note was: “<script>alert(“Hi”);</script>”. when you open the ticket, the javascript code executes and you get the “Hi” alert. I’m not much of a webadmin, I’m more a developer, I’m not that much into web-server security. I’d like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email’s mime type was text/html. Kind regards, Juan Clavero --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs -- Martin Gruner Senior Developer R&D OTRS AG Europaring 4 94315 Straubing T: +49 (0)6172 681988 0 F: +49 (0)9421 56818 18 I: www.otrs.com/http://www.otrs.com/ Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065 Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen – Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1