Thanks mg
So it just leaves us with the code our agents may leave in an article. Can this be a security thread?
Kind regards,
Juan Clavero
De:
Martin Gruner [mailto:martin.gruner@otrs.com]
Enviado el: lunes, 04 de junio de 2012 10:04
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] javascript in articles: a security threat?
Hi Juan,
customer articles are displayed differently in OTRS, inline content is not shown by default.
Regards, mg
Am 31.05.12 16:50, schrieb Juan Manuel Clavero Almirón:
Hi all,
I just discovered an agent adding a note to a ticket. the only text in the note was: “<script>alert(“Hi”);</script>”. when you open the ticket, the javascript code executes and you get the “Hi” alert.
I’m not much of a webadmin, I’m more a developer, I’m not that much into web-server security.
I’d like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email’s mime type was text/html.
Kind regards,
Juan Clavero
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
--
Martin Gruner
Senior Developer R&D