Hi Juan, customer articles are displayed differently in OTRS, inline content is not shown by default. Regards, mg Am 31.05.12 16:50, schrieb Juan Manuel Clavero Almirón:
Hi all,
I just discovered an agent adding a note to a ticket. the only text in the note was: "<script>alert("Hi");</script>". when you open the ticket, the javascript code executes and you get the "Hi" alert.
I'm not much of a webadmin, I'm more a developer, I'm not that much into web-server security.
I'd like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email's mime type was text/html.
* *
*Kind regards,*
*Juan Clavero*
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
-- Martin Gruner Senior Developer R&D OTRS AG Europaring 4 94315 Straubing T: +49 (0)6172 681988 0 F: +49 (0)9421 56818 18 I: www.otrs.com/ Geschäftssitz: Bad Homburg, Amtsgericht: Bad Homburg, HRB 10751, USt-Nr.: DE256610065 Aufsichtsratsvorsitzender: Burchard Steinbild, Vorstand: André Mindermann (Vorsitzender), Christopher Kuhn Verbinden wir uns! OTRS 3.1 schafft einfachere Integration mit Drittapplikationen -- Für Frühbucher zum Vorzugspreis: http://www.otrs.com/index.php?id=2361&L=1